Subject: Family Educational Rights and Privacy

FR part

Publication Date: December 2, 2011

Posted Date: December 2, 2011

Subject: Family Educational Rights and Privacy

FR Part: II

FR Type: Final

[Federal Register Volume 76, Number 232 (Friday, December 2, 2011)]
[Rules and Regulations]
[Pages 75604-75660]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-30683]

[[Page 75603]]

Vol. 76

Friday,

No. 232

December 2, 2011

Part II

Department of Education

-----------------------------------------------------------------------

34 CFR Part 99

Family Educational Rights and Privacy; Final Rule

Federal Register / Vol. 76 , No. 232 / Friday, December 2, 2011 / 
Rules and Regulations

[[Page 75604]]

-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

[DOCKET ID ED-2011-OM-0002]
RIN 1880-AA86

Family Educational Rights and Privacy

AGENCY: Office of Management, Department of Education.

ACTION: Final regulations.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Education (Secretary) amends the regulations
implementing section 444 of the General Education Provisions Act
(GEPA), which is commonly referred to as the Family Educational Rights
and Privacy Act (FERPA). These amendments are needed to ensure that the
U.S. Department of Education (Department or we) continues to implement
FERPA in a way that protects the privacy of education records while
allowing for the effective use of data. Improved access to data will
facilitate States' ability to evaluate education programs, to ensure
limited resources are invested effectively, to build upon what works
and discard what does not, to increase accountability and transparency,
and to contribute to a culture of innovation and continuous improvement
in education. The use of data is vital to ensuring the best education
for our children. However, the benefits of using student data must
always be balanced with the need to protect student privacy. Protecting
student privacy helps achieve a number of important goals, including
avoiding discrimination, identity theft, as well as other malicious and
damaging criminal acts.

DATES: These regulations are effective January 3, 2012. However, State
and local educational authorities, and Federal agencies headed by
officials listed in Sec. 99.31(a)(3) with written agreements in place
prior to January 3, 2012, must comply with the existing requirement in
Sec. 99.35(a)(3) to use written agreements to designate any authorized
representatives, other than employees, only upon any renewal of or
amendment to the written agreement with such authorized representative.

FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of
Education, 400 Maryland Avenue SW., Room 2E203, Washington, DC 20202-
8520. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), call the
Federal Relay Service (FRS), toll-free, at 1-(800) 877-8339.

SUPPLEMENTARY INFORMATION: On April 8, 2011, the Department published a
notice of proposed rulemaking (NPRM) in the Federal Register (76 FR
19726). In the preamble to the NPRM, the Secretary stated that the
proposed changes were necessary to ensure the Department's proper
implementation of FERPA, while allowing for the effective use of
student data, and to address other issues identified through the
Department's experience in administering FERPA.
Protecting student privacy is paramount to the effective
implementation of FERPA. All education data holders must act
responsibly and be held accountable for safeguarding students'
personally identifiable information (PII) from education records. The
need for clarity surrounding privacy protections and data security
continues to grow as statewide longitudinal data systems (SLDS) are
built and more education records are digitized and shared
electronically. As States develop and refine their information
management systems, it is critical that they take steps to ensure that
student information is protected and that PII from education records is
disclosed only for authorized purposes and under circumstances
permitted by law. (When we use the term ``disclose'' in this document,
we sometimes are referring to redisclosures as well.)
The amendments reflected in these final regulations establish the
procedures that State and local educational authorities, and Federal
agencies headed by officials listed in Sec. 99.31(a)(3) (FERPA-
permitted entities), their authorized representatives, and
organizations conducting studies must follow to ensure compliance with
FERPA. The amendments also reduce barriers that have inhibited the
effective use of SLDS as envisioned in the America Creating
Opportunities to Meaningfully Promote Excellence in Technology,
Education, and Science Act (the America COMPETES Act) (Pub. L. 110-69)
and the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L.
111-5). Finally, by expanding the requirements for written agreements
and the Department's enforcement mechanisms, the amendments help to
ensure increased accountability on the part of those with access to PII
from education records.
These amendments include definitions for two previously undefined
terms, ``authorized representative'' and ``education program,'' to
permit greater access by appropriate and authorized parties to
information on students in order to evaluate the effectiveness of
education programs. Specifically, we have modified the definition of
and requirements related to ``directory information'' to clarify (1)
that the right to opt out of the disclosure of directory information
under FERPA does not include the right to refuse to wear, or otherwise
disclose, a student identification (ID) card or badge; (2) that schools
may implement a limited directory information policy in which they
specify the parties or purposes for which the information is disclosed;
and (3) the Department's authority to hold State educational
authorities and other recipients of Department funds under a program
administered by the Secretary accountable for compliance with FERPA.
We believe that the regulatory changes adopted in these final
regulations provide clarification on many important issues that have
arisen over time with regard to how FERPA applies to SLDS and to other
requests for data on student progress. Additionally, educational
agencies and institutions continue to face considerable challenges
implementing directory information policies that help them maintain
safe campuses and protect PII from education records from potential
misuse, such as identity theft. These final regulations, as well as the
discussion in the preamble, will assist school officials in addressing
these challenges in a manner that complies with FERPA. These final
regulations also respond to the September 2010 U.S. Government
Accountability Office (GAO) study entitled ``Many States Collect
Graduates' Employment Information, but Clearer Guidance on Student
Privacy Requirements Is Needed,'' by clarifying the means by which
States can collect and share graduates' employment information under
FERPA.
Finally, we have discussed with the U.S. Department of Agriculture
(USDA) the potential effect of these regulations on the use of
information regarding individual children's eligibility for free or
reduced price school meals in the National School Lunch and School
Breakfast Programs (School Meals Programs or SMPs) in connection with
an audit or evaluation of Federal- or State-supported education
programs. Congress recognized that sharing of children's eligibility
information could benefit schools and children participating in the
SMPs. As a result, section 9(b)(6) of the Richard B. Russell National
School Lunch Act, as amended (National School Lunch Act) (42 U.S.C.
1758(b)(6)) permits schools to disclose children's eligibility
information to persons with a need to know who are associated with a
Federal or State education program and who will not

[[Page 75605]]

further disclose that information. Because of the importance of
assuring not only that FERPA requirements are met, but also that all of
the Federal confidentiality protections in the National School Lunch
Act are met, the two Departments intend to jointly issue guidance in
the near future for use by the educational community and by State and
local administrators of USDA programs.

Notice of Proposed Rulemaking

In the NPRM, we proposed regulations to:
Amend Sec. 99.3 to define the term ``authorized
representative'' to include individuals or entities designated by
FERPA-permitted entities to carry out an audit or evaluation of
Federal- or State-supported education programs, or for the enforcement
of or compliance with Federal legal requirements related to these
programs (audit, evaluation, or enforcement or compliance activity);
Amend the definition of ``directory information'' in Sec.
99.3 to clarify that a unique student identification (ID) number may be
designated as directory information for the purposes of display on a
student ID card or badge if the unique student ID number cannot be used
to gain access to education records except when used in conjunction
with one or more factors that authenticate the user's identity, such as
a Personal Identification Number, password, or other factor known or
possessed only by the authorized user;
Amend Sec. 99.3 to define the term ``education program''
as any program principally engaged in the provision of education,
including, but not limited to, early childhood education, elementary
and secondary education, postsecondary education, special education,
job training, career and technical education, and adult education;
Amend Sec. 99.31(a)(6) to clarify that FERPA-permitted
entities are not prevented from redisclosing PII from education records
as part of agreements with researchers to conduct studies for, or on
behalf of, educational agencies and institutions;
Remove the provision in Sec. 99.35(a)(2) that required
that any FERPA-permitted entity must have legal authority under other
Federal, State, or local law to conduct an audit, evaluation, or
enforcement or compliance activity;
Amend Sec. 99.35(a)(2) to provide that FERPA-permitted
entities are responsible for using reasonable methods to ensure that
their authorized representatives comply with FERPA;
Add a new Sec. 99.35(a)(3) to require that FERPA-
permitted entities must use a written agreement to designate an
authorized representative (other than an employee) under the provisions
in Sec. Sec. 99.31(a)(3) and 99.35 that allow the authorized
representative access to PII from education records without prior
written consent in connection with any audit, evaluation, or
enforcement or compliance activity;
Add a new Sec. 99.35(d) to clarify that in the event that
the Department's Family Policy Compliance Office (FPCO or Office) finds
an improper redisclosure in the context of Sec. Sec. 99.31(a)(3) and
99.35 (the audit or evaluation exception), the Department would
prohibit the educational agency or institution from which the PII
originated from permitting the party responsible for the improper
disclosure (i.e., the authorized representative, or the FERPA-permitted
entities, or both) access to PII from education records for a period of
not less than five years (five-year rule);
Amend Sec. 99.37(c) to clarify that while parents or
eligible students (students who have reached 18 years of age or are
attending a postsecondary institution at any age) may opt out of the
disclosure of directory information, this opt out does not prevent an
educational agency or institution from requiring a student to wear,
display, or disclose a student ID card or badge that exhibits directory
information;
Amend Sec. 99.37(d) to clarify that educational agencies
or institutions may develop policies that allow the disclosure of
directory information only to specific parties, for specific purposes,
or both; and
Add Sec. 99.60(a)(2) to authorize the Secretary to take
appropriate actions to enforce FERPA against any entity that receives
funds under any program administered by the Secretary, including funds
provided by grant, cooperative agreement, contract, subgrant, or
subcontract.

Changes From the NPRM

These final regulations contain the following substantive changes
from the NPRM:
In Sec. 99.3, we have defined the term ``early education
program'' as that term is used in the definition of education program.
The definition is based on the definition of ``early childhood
education program'' in section 103(8) of the Higher Education Act of
1965, as amended (HEA) (20 U.S.C. 1003(8));
We have made changes to the definition of ``education
program'' in Sec. 99.3 to clarify that any program administered by an
educational agency or institution is considered an education program;
and
We have modified the written agreement requirement in
Sec. 99.35(a)(3) to require that the agreement specify how the work
falls within the exception of Sec. 99.31(a)(3), including a
description of the PII from education records that will be disclosed,
and how the PII from education records will be used.
We have also made the following minor or non-substantive changes
from the NPRM:
We have made minor editorial changes to the definition of
``authorized representative'' in Sec. 99.3 to ensure greater
consistency between the language in that definition and the language in
Sec. 99.35(a)(1);
We have removed language from Sec. Sec.
99.31(a)(6)(iii)(C)(4) and 99.35(a)(3)(iii) and (a)(3)(iv) that
permitted an organization conducting a study or an authorized
representative to return PII from education records to the FERPA-
permitted entity from which the PII originated, in lieu of destroying
such information. We made these changes to more closely align the
regulatory language with the statute and to ensure that the PII from
education records is destroyed as required by the statute;
We have made changes to Sec. 99.35(a)(2) to clarify that
the FERPA-permitted entity from which the PII originated is responsible
for using reasonable methods to ensure to the greatest extent
practicable that any entity or individual designated as its authorized
representative complies with FERPA requirements;
We have made editorial changes to Sec. 99.35(a)(2) so the
language in that section is more consistent with the language in Sec.
99.35(a)(1) regarding the requirements for an audit, evaluation, or
enforcement or compliance activity;
We have clarified in Sec. 99.35(a)(3)(v) that the
required written agreement must establish policies and procedures to
protect PII from education records from further disclosure, including
by limiting use of PII to only authorized representatives with
legitimate interests in the audit, evaluation, or enforcement or
compliance activity;
We have revised Sec. 99.35(b)(1) to refer to a State or
local educational authority or agency headed by an official listed in
Sec. 99.31(a)(3) rather than ``authority'' or ``agency'', to ensure
consistency with the language used in Sec. 99.35(a)(2) and (a)(3);
We have consolidated all regulatory provisions related to
prohibiting an educational agency or institution from disclosing PII
from education records to a third party outside of an educational
agency or institution for at least five years (five-year rule) and
moved them to subpart E of part 99 (What are the

[[Page 75606]]

Enforcement Procedures?). Specifically, we--
[cir] Included in Sec. 99.67(c) language from current Sec.
99.31(a)(6)(iv) concerning the application of the five-year rule when
the Department determines that a third party outside the educational
agency or institution fails to destroy PII from education records after
the information is no longer needed for the study for which it was
disclosed;
[cir] Clarified in Sec. 99.67(d) that, in the context of the audit
or evaluation exception, the five-year rule applies to any FERPA-
permitted entity or its authorized representative if the Department
determines that either party improperly redisclosed PII from education
records; and
[cir] Moved to Sec. 99.67(e) the language from current Sec.
99.33(e) concerning the application of the five-year rule when the
Department determines that a third party outside the educational agency
or institution improperly rediscloses PII from education records in
violation of Sec. 99.33 or fails to provide the notification required
under Sec. 99.33(b)(2);
Throughout subpart E of part 99 (Sec. Sec. 99.60 through
99.67), we have revised the language regarding enforcement procedures
to clarify that the Secretary may investigate, process, and review
complaints and violations of FERPA against an educational agency or
institution or against any other recipient of Department funds under a
program administered by the Secretary. This marks a change from the
current provisions, which refer only to the Department's enforcement
procedures against ``educational agencies and institutions,'' which are
defined in Sec. 99.3 as any public or private agency or institution to
which part 99 applies under Sec. 99.1(a). Section 99.1 describes FERPA
as applying to an educational agency or institution to which funds have
been made available under any program administered by the Secretary if
(1) The educational institution provides educational services or
instruction, or both, to students; or (2) the educational agency is
authorized to direct and control public elementary or secondary, or
postsecondary educational institutions; and
Throughout subpart E of part 99 (Sec. Sec. 99.60 through
99.67), we have clarified the procedures that the Office will follow to
investigate, review, process, and enforce the five-year rule against
third parties outside of the educational agency or institution.

Analysis of Comments and Changes

We received a total of 274 comments on the proposed regulations.
The comments represented a broad spectrum of viewpoints from a number
of different interested parties, including students, parents, privacy
advocacy organizations, researchers, numerous associations, and
representatives from schools, local educational agencies (LEAs) (also
referred to as ``districts''), and State educational agencies (SEAs).
We have carefully considered these comments and, as a result of
this public input, have made several changes to the final regulations
since publication of the NPRM. An analysis of the comments and changes
follows. We group major issues according to subject, with applicable
sections of the regulations referenced in parentheses. Generally, we do
not address technical and other minor changes that we made, or respond
to suggested changes that the law does not authorize the Secretary to
make, or to comments that were outside the scope of the NPRM.

General Comments

Definitions

Comment: Several commenters stated that the terms used in the
proposed regulations to refer to the different types of entities
affected by the regulations were unclear and asked for the Department
to clarify their meaning. Specifically, they asked if there is a
difference between an educational agency or institution, on the one
hand, and a State or local educational authority, on the other. Some
commenters requested that we clarify whether a State agency, other than
an SEA, such as a State department of social services, could be
considered a State educational authority under the regulations. Another
commenter asked that we also define the term ``school official'' to
differentiate it from the term ``authorized representative.''
Discussion: There are differences in meaning between the terms
``educational agency,'' ``educational institution,'' and ``State and
local educational authority,'' and we provide the following explanation
to clarify how these terms are used in the context of FERPA and its
implementing regulations.
In general, FERPA applies to an ``educational agency or
institution'' that receives funds under a program administered by the
Secretary. 20 U.S.C. 1232g(a)(3). In Sec. 99.3, we define the term
``educational agency or institution'' as any public or private agency
or institution to which part 99 applies under Sec. 99.1(a).
Educational institution. We use the term ``educational
institution'' to refer to any elementary or secondary school, including
any school funded or operated by the U.S. Department of the Interior's
Bureau of Indian Education (BIE),\1\ or to any postsecondary
institution that receives funds under a program administered by the
Secretary and that provides educational services or instruction, or
both, to students (see Sec. 99.1(a)(1)). Additionally, Sec. 99.3 of
the FERPA regulations defines ``institution of postsecondary
education'' as an institution that provides education to students
beyond the secondary school level. We generally use the term
``institution of postsecondary education'' to refer to colleges and
universities and, in this document, use it interchangeably with the
terms ``postsecondary institution'' and ``institution of higher
education''.
---------------------------------------------------------------------------

\1\ Under section 9204(a) of the Elementary and Secondary
Education Act of 1965, as amended (ESEA), the Secretary of Education
and the Secretary of the Interior are required to reach an agreement
regarding how the BIE will comply with ESEA requirements. Under a
2005 Final Agreement between the Department of Education and the
Department of the Interior, the two Departments agreed, as a general
matter, that the Department of Education would treat BIE as an SEA
and each BIE school as an LEA, for purposes of complying with the
requirements of ESEA.
---------------------------------------------------------------------------

Educational agency. Under Sec. 99.1(a)(2), an ``educational
agency'' is an entity that is authorized to direct and control public
elementary or secondary schools or postsecondary institutions. Thus, we
consider LEAs (a term that we use interchangeably with school
districts) to be ``educational agencies'' in the context of FERPA.
However, we do not generally view SEAs as being ``educational
agencies'' under Sec. 99.1(a)(2) because we interpret the statutory
definition of the term ``student'' to mean that an educational agency
is an agency attended by students. Under paragraph (a)(6) of FERPA, a
``student includes any person with respect to whom an educational
agency or institution maintains education records or personally
identifiable information, but does not include a person who has not
been in attendance at such agency or institution.'' 20 U.S.C.
1232g(a)(6). For example, we have generally considered students to be
in attendance at the Fairfax County Public Schools school district, but
not at the Virginia Department of Education. Therefore, under this
framework, the term ``educational agencies or institutions'' generally
refers to LEAs, elementary and secondary schools, schools operated by
BIE, and postsecondary institutions.
State and local educational authorities. The term ``State and local
educational authority'' is not defined in FERPA. The term ``State and
local

[[Page 75607]]

educational authority'' is important in the context of FERPA's audit or
evaluation exception in Sec. Sec. 99.31(a)(3) and 99.35 because State
and local educational authorities are permitted to access, without
consent, PII from education records. We generally have interpreted the
term ``State and local educational authority'' to refer to an SEA, a
State postsecondary commission, BIE, or any other entity that is
responsible for and authorized under local, State, or Federal law to
supervise, plan, coordinate, advise, audit, or evaluate elementary,
secondary, or postsecondary Federal- or State-supported education
programs and services in the State. (See http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/wku071105.html for more information.) While we
have not generally viewed an SEA as being an educational agency under
Sec. 99.1(a)(2) for the reasons outlined in the preceding paragraph,
it is important to note that we do view an SEA as a State educational
authority for FERPA purposes.
An LEA can be both an educational agency and a local educational
authority under FERPA because an LEA is authorized to direct and
control public elementary and secondary schools and to supervise
Federal- or State-supported education programs and services in the
State. Because an LEA is considered to be an educational authority, the
LEA may conduct an audit or evaluation of a Federal- or State-supported
education program under the audit or evaluation exception. For example,
an LEA may wish to evaluate the effectiveness of a particular program
in the school district.
Some commenters asked whether a State agency other than an SEA,
such as a State social services agency, could be considered an
``educational agency or institution'' or a ``State or local educational
authority.'' We believe that State agencies other than an SEA could,
depending on the individual circumstances, be considered to be an
``educational agency or institution'' or a State educational authority
under FERPA. The Department generally considers a State postsecondary
commission to be a State educational authority because such commissions
are typically responsible for and authorized under State law to
supervise, plan, coordinate, advise, audit, or evaluate Federal- or
State-supported postsecondary education programs and services in the
State. Likewise, a State-administered school that receives funds under
a program administered by the Secretary, such as a school serving
hearing-impaired students, is considered an educational institution
under FERPA because it provides educational services or instruction to
students. In general, the Department does not consider a State social
services agency to be an ``educational agency or institution'' under
FERPA because, although such an agency may provide educational services
or instruction to students, it is not authorized to direct and control
public elementary or secondary or postsecondary educational
institutions, and it does not have students in attendance. In addition,
the Department does not consider a State social services agency to be a
State educational authority because such an agency generally is not
responsible for and authorized under State law to supervise, plan,
coordinate, advise, audit, or evaluate federally or State-supported
elementary, secondary, or postsecondary education programs and services
in the State. However, because States vary widely in how they
administer programs, the Department would make this determination on a
case-by-case basis and evaluate the particular responsibilities of that
agency before giving definitive guidance on whether a particular agency
would be considered an educational agency or institution or a State or
local educational authority under FERPA.
With regard to the request that we define the term ``school
official'' to avoid confusion with the term ``authorized
representative,'' we note that current Sec. 99.31(a)(1) in the FERPA
regulations already describes ``school official.'' This section makes
clear that school officials are teachers and administrators who work
within a school, school district, or postsecondary institution. The
regulations also state in Sec. 99.31(a)(1) that contractors,
consultants, volunteers, or other parties to whom an educational agency
or institution has outsourced institutional services or functions under
the conditions listed in Sec. 99.31(a)(1)(i)(B)(1) through
(a)(1)(i)(B)(3) may be considered school officials with legitimate
educational interests in students' education records. We believe that
this language in Sec. 99.31(a)(1) and the definition of ``authorized
representative'' are sufficiently clear to ensure that there is no
confusion between these different categories of individuals.
Changes: None.
Comment: Several commenters asked the Department to include
definitions for, and examples of, the following terms: ``evaluation,''
``audit,'' ``research,'' ``legitimate educational interest,''
``compliance activities,'' and ``enforcement activities.''
Discussion: The terms identified by the commenters are not defined
in FERPA, and the Department did not propose to define them in the NPRM
because we did not wish to define them in ways that would unnecessarily
restrict the educational community. Moreover, we do not believe it
would be appropriate to define these terms in these final regulations
because the public would not have had an opportunity to comment on
them.
Changes: None.

Fair Information Practice Principles

Comment: Some commenters stated that the proposed amendments to
part 99 in the NPRM represented a ``wholesale repudiation of the fair
information practices.'' Others contended that the proposed regulatory
changes go too far; that the changes would permit the disclosure of
confidential student records to organizations that have little
involvement in education, and the data will be used for purposes
unrelated to education. Others expressed concern that the regulatory
changes would result in student records being used for a wide range of
activities under the pretext that some educational result would be
derived from those activities. Others commented that obtaining parental
consent to permit the disclosure of PII from education records should
be the preferred approach.
Discussion: The Fair Information Practice Principles (FIPPs) are
the foundation for information privacy in the United States. These
principles are sometimes referred to just as FIPs (Fair Information
Practices) and various versions of these principles exist with
different numbering schemes. These principles include: That there be no
secret recordkeeping systems; that individuals should have a way to
find out information about themselves in a record and how it is used;
that individuals be allowed to prevent information obtained for one
purpose from being used for another; that individuals be allowed to
correct records about themselves; and that the organization that
created the record assure its reliability and take steps to prevent
misuse. FIPPs form the basis of most State and Federal privacy laws in
the United States, including FERPA. Like most privacy laws, however,
the FIPPs must be adapted to fit the educational context of data
disclosure. For example, one of the FIPPs principles is that
individuals should have the right to prevent information for one
purpose from being used for another. FERPA expressly permits the
redisclosure, without consent, of PII from education

[[Page 75608]]

records for a reason other than the reason for which the PII was
originally collected, if the redisclosure is made on behalf of the
educational agency or institution that provided the PII and the
redisclosure meets the requirements of sec. 99.31.
The Department is not repudiating FIPPs, but rather is making only
narrow changes to its regulations that it has determined are necessary
to allow for the disclosure of PII from education records to improve
Federal- and State-supported education programs while still preserving
student privacy. The Department remains committed to FIPPs and believes
that the final regulations appropriately embody core FIPPs tenets. In
fact, FIPPs underlay the Department's recent privacy initiatives,
including creating a Chief Privacy Officer position,\2\ creating the
Privacy Technical Assistance Center (PTAC),\3\ and issuing a series of
technical briefs on privacy, confidentiality, and data security.
---------------------------------------------------------------------------

\2\ The Department established an executive level Chief Privacy
Officer (CPO) position in early 2011. The CPO oversees a new
division dedicated to advancing the responsible stewardship,
collection, use, maintenance, and disclosure of information at the
national level and for States, LEAS, postsecondary institutions, and
other education stakeholders.
\3\ PTAC was established to serve as a one[hyphen]stop resource
for SEAs, LEAs, the postsecondary community, and other parties
engaged in building and using education data systems. PTAC's role is
to provide timely and accurate information and guidance about data
privacy, confidentiality, and security issues and practices in
education; disseminate this information to the field and the public;
and provide technical assistance to key stakeholders. PTAC will
share lessons learned; provide technical assistance in both group
settings and in one[hyphen]on[hyphen]one meetings with States; and
create training materials on privacy, confidentiality, and security
issues.
---------------------------------------------------------------------------

We agree that it is preferable to obtain consent before disclosing
PII from education records, and nothing in these final regulations is
intended to change the statutory framework for consent. Nonetheless,
Congress explicitly provided in FERPA that for certain purposes, PII
from education records may be disclosed without consent. 20 U.S.C.
1232g(b).
We recognize that some may fear that these final regulations will
permit the disclosure of PII from education records to improper
parties, or for improper purposes, but we firmly believe such fears
lack foundation. To be clear, these final regulations do not permit PII
from education records to be disclosed for purposes unrelated to
education. For example, the statute limits disclosures to those
organizations that conduct studies for the purposes of ``developing,
validating, or administering predictive tests, administering student
aid programs, and improving instruction.'' We believe that the best
method to prevent misuse of education records is not to bar all
legitimate uses of education data, but rather to provide guidance and
technical assistance on how legitimate uses can be implemented while
properly protecting PII from education records in accordance with
FERPA.
Changes: None.
Comments: Several commenters expressed concern or confusion about
how the FERPA recordation, review, and correction provisions would work
at the various school, LEA, or State levels.
Several commenters raised concerns about ``up-stream data sharing''
as it relates to the validity of the information maintained in SLDS.
They expressed general concern that changes made to education records
at the local level would not be reflected in the SLDS, so that
authorized representatives of an SEA would be looking at out-of-date
information. Some commenters suggested that when schools amend
education records, they should be required to forward these amendments
or corrections to their LEA or SEA.
A few commenters recommended that we require schools to notify
parents and eligible students when PII from education records is
disclosed to an outside entity. One commenter suggested that parents
and students not only be notified, but that they also be given an
opportunity to opt out of the disclosure. Several commenters expressed
support for the notion that parents and students should be able to
inspect and review education records held by authorized
representatives.
One commenter asked why the Department did not propose to use its
``putative enforcement authority'' to create the right for parents and
eligible students to inspect and seek to correct education records in
the hands of authorized representatives.
Discussion: We appreciate the concern that records at State and
local educational authorities be up-to-date to reflect changes made at
the school level. We decline, however, to require schools to forward
every change to ``up-stream'' educational entities, as this would be
overly burdensome. Schools correct and update student education records
on a daily basis and requiring daily ``up-stream'' updates is not
feasible. Rather, we urge LEAs and SEAs to arrange for periodic
updates. We believe that such an arrangement will help ensure the
validity and accuracy of PII from education records disclosed to LEAs
and SEAs and ultimately held in an SLDS.
We decline to adopt the suggestion that schools be required to
notify parents and eligible students when PII from education records is
redisclosed to an outside entity, and to provide parents and eligible
students with an opportunity to opt out of the disclosure. FERPA
expressly provides for disclosure without consent in these
circumstances, a reflection of the importance of those limited
disclosures.
Under Sec. 99.7(a), educational agencies and institutions are
required to annually notify parents and eligible students of their
rights under FERPA. While FERPA does not require that this notice
inform parents or eligible students of individual data sharing
arrangements, we believe that transparency is a best practice. For this
reason, we have amended our model notifications of rights under FERPA
to include an explanation of the various exceptions to FERPA's general
consent disclosure rule. This change to the model notifications should
help parents and eligible students understand under what circumstances,
such as the evaluation of a Federal- or State-supported education
program, PII from education records may be disclosed to third parties
without prior written consent. The Model Notification of Rights under
FERPA for Elementary and Secondary Schools is included as Appendix B to
this notice and the Model Notification of Rights under FERPA for
Postsecondary Institutions is included as Appendix C to this notice;
these model notifications are also available on the FPCO Web site at:
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html and
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html.
With respect to the suggestion that we revise the regulations so
that parents and eligible students can inspect and review and seek to
amend education records held by authorized representatives, we note
that FERPA provides a right for parents and eligible students to
inspect and review their education records held by SEAs, LEAs, and
schools. 20 U.S.C. 1232g(a)(1)(A) and (a)(1)(B). The statute does not
provide any right to inspect and review education records held by
authorized representatives of FERPA-permitted entities or other third
parties (other than SEAs). Further, FERPA also provides a right for
parents and eligible students to seek to amend their education records
held by LEAs and schools, but not SEAs. 20 U.S.C. 1232g(a)(2). Again,
however, the statute does not provide any right to seek to amend
education records held by authorized representatives of FERPA-permitted
entities or other third parties. For this

[[Page 75609]]

reason, we do not have the authority to expand these statutory
provisions to apply to authorized representatives of FERPA-permitted
entities or other third parties (other than the right to inspect and
review education records maintained by SEAs).
Parents and eligible students seeking to inspect and review a
student's education records held by an authorized representative or a
third party other than the SEA may contact the disclosing school or
LEA. The school or LEA would then be required to allow them to inspect
and review and seek to amend the education records that they maintain.
Additionally, while FERPA does not accord a right to a parent or an
eligible student to inspect and review and seek to amend education
records held by authorized representatives, FERPA-permitted entities
are free to include inspection or amendment requirements in the written
agreements they enter into with their authorized representatives,
assuming it is permissible under applicable State and local law to do
so.
FERPA does not require parental or student notification of
individual data sharing arrangements that may utilize PII from
education records. However, Sec. 99.32(a) does require recordation,
except as provided in Sec. 99.32(d), of disclosures whenever an
educational agency or institution or FERPA-permitted entity discloses
PII from education records under one of the exceptions to the consent
requirement. Thus, the recordation provisions in Sec. 99.32(a)(3)
require educational agencies and institutions to record the parties to
whom they have disclosed PII from education records and the legitimate
interests the parties had in obtaining the information. This
recordation must also identify the FERPA-permitted entities that may
make further disclosures of PII from education records without consent
(see Sec. 99.32(a)(1)). When requested, FERPA-permitted entities must
provide pursuant to Sec. 99.32(b)(2)(iii) a copy of their record of
further disclosures to the requesting educational agency or institution
where the PII from education records originated within a reasonable
period of time, not to exceed 30 days. For example, a school may
request a record of all further disclosures made by its SEA of PII from
education records from that school. The SEA would be required to comply
with this request within 30 days.
Changes: None.

Legal Authority

Comment: Numerous commenters questioned the Department's legal
authority to issue the proposed regulations, stating the proposals
exceed the Department's statutory authority. Enacting the proposed
changes, many of these commenters argued, would require legislative
amendments to FERPA that could not be achieved through the rulemaking
process.
Several commenters also stated that the America COMPETES Act and
ARRA do not confer legal authority upon the Department to propose
regulations that would allow the disclosure of PII from education
records in the manner envisioned in the NPRM. While acknowledging that
the America COMPETES Act generally supports the establishment and
expansion of SLDS, several commenters noted that the America COMPETES
Act requires States to develop and utilize their SLDS only in ways that
comply with the existing FERPA regulations. One commenter stated that
ARRA was merely an appropriations law and did not suggest any shift in
Congressional intent regarding FERPA's privacy protections, information
sharing, or the disclosure of student education records, generally.
Discussion: We disagree with commenters who stated that they
believe the Department lacks the statutory authority to promulgate the
proposed regulations contained in the NPRM. As a general matter, the
Department has broad statutory authority to promulgate regulations to
implement programs established by statute and administered by the
Department. Under section 414 of the Department of Education
Organization Act, 20 U.S.C. 3474, ``[t]he Secretary is authorized to
prescribe such rules and regulations as the Secretary determines
necessary or appropriate to administer and manage the functions of the
Secretary or the Department.'' Similarly, section 410 of GEPA, 20
U.S.C. 1221e-3, provides that the Secretary may ``make, promulgate,
issue, rescind, and amend rules and regulations governing the manner of
operation of, and governing the applicable programs administered by,
the Department.''
Neither section 444 of GEPA, which is more commonly known as FERPA,
nor any other statute, limits the Department's authority to promulgate
regulations to protect the privacy of PII from education records or to
interpret its regulations on FERPA consistently with other Federal
statutes. The proposed regulations in the NPRM fall clearly within the
commonplace use of the Department's regulatory authority. Adopting
these provisions is necessary to ensure that the Department's
implementation of FERPA continues to protect the privacy of PII from
education records, while allowing for PII from education records to be
effectively used, particularly in SLDS.
Moreover, we disagree with the contention that the America COMPETES
Act and ARRA do not provide evidence of Congressional intent to expand
and develop SLDS to include early childhood education, postsecondary,
and workforce information. We believe the America COMPETES Act and ARRA
should be read consistently with FERPA, where permissible. It is a
well-established canon of statutory construction that a statute must
not be interpreted so that it is inconsistent with other statutes where
an ambiguity exists. Where two statutes appear to be inconsistent with
one another, it is appropriate to provide an interpretation that
reconciles them while still preserving their original sense and
purpose. See, e.g., Lewis v. Lewis & Clark Marine, Inc., 531 U.S. 438
(2001); Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1017-18 (1984).
In this case, the Department is interpreting its regulations in a
manner that is consistent with FERPA, the America COMPETES Act, and
ARRA. Under section 6401(e)(2)(D) of the America COMPETES Act, Congress
clearly set forth its desire that States develop SLDS that cover
students from preschool through postsecondary education by including
information such as ``the capacity to communicate with higher education
data systems,'' ``information regarding the extent to which students
transition successfully from secondary school to postsecondary
education, including whether students enroll in remedial coursework,''
and ``other information determined necessary to address alignment and
adequate preparation for success in postsecondary education.''
ARRA provides clear evidence of Congressional intent to support the
expansion of SLDS, and is not merely an appropriations law, as
suggested by one commenter. Section 14001(d) of ARRA specified that the
Governor of a State desiring to receive an allocation under the State
Fiscal Stabilization Fund was required to include assurances in its
application that, among other things, the State will establish a
longitudinal data system that includes the elements described in
section 6401(e)(2)(D) of the America COMPETES Act. All States received
grants under the State Fiscal Stabilization Fund. Thus, all States are
required to include these 12 elements in their SLDS. Through ARRA,
Congress also provided $250 million for additional State grants to
support the expansion of SLDS to include postsecondary and workforce

[[Page 75610]]

information, providing further evidence of Congress' intention that
States include these elements in their SLDS.
Interpretations of our current FERPA regulations created obstacles
for States in their efforts to comply with ARRA's requirement that SLDS
include the 12 elements specified in the America COMPETES Act, and
thereby allow for the sharing of education data from preschool to
higher education. The changes that the Department is adopting through
these regulations should eliminate barriers that may have prevented
States from complying with the ARRA assurances while still ensuring
that PII in education records is protected under FERPA. For example,
under these final regulations, a local or State educational authority
may designate a postsecondary institution as its ``authorized
representative,'' in connection with the evaluation of Federal- or
State-supported education programs. As such, the K-12 local or State
educational authority may disclose PII from education records to the
postsecondary institution without consent for purposes of evaluating
either the K-12 or postsecondary Federal- or State-supported education
programs.
If the Department were to make no regulatory changes, as requested
by several commenters, then Congress' stated intentions behind the
America COMPETES Act and ARRA regarding the development and expansion
of SLDS would be significantly impeded. Instead, considering the extent
of data sharing contemplated by these statutes, the Department is
amending several regulatory provisions that have unnecessarily hindered
the development and expansion of SLDS as envisioned by the America
COMPETES Act and required under ARRA, while still remaining consistent
with FERPA's underlying purpose of protecting student privacy.
Changes: None.

FERPA Does Not Provide Authority for Data Collection

Comment: Several commenters expressed concern about the types of
student PII described in the NPRM and what they perceived as the
Department's intent to collect information on individual students. The
Department received similar comments from multiple parties who inferred
from the NPRM that the Department sought to collect information on
students such as ``hair color, blood type or health care history.''
These commenters appeared to believe that the Department would collect
this data and provide it to other Federal agencies, such as Labor and
Health and Human Services, to ``facilitate social engineering such as
development of the type of `workforce' deemed necessary by the
government.''
Discussion: The Department agrees that it should not collect such
information or guide students ``toward predetermined workforce
outcomes,'' as the commenters stated. Moreover, the Department did not
propose in the NPRM to permit the collection of this information or to
conduct the activities described by these commenters.
Commenters mistakenly inferred that the proposed changes to the
regulations would expand the types of data collections that the
Department may require as conditions of receiving Federal funds. FERPA
itself does not establish the authority for any type of data collection
at any level, whether Federal, State, or local. Likewise, FERPA does
not authorize the establishment of SLDS. Congress granted the
Department the authority to provide grants to States for the
development of SLDS under section 208 of the Educational Technical
Assistance Act of 2002, 20 U.S.C. 9607. States have invested in SLDS to
enhance their ability to efficiently and accurately manage, analyze,
and use education data, which includes PII from education records that
are protected under FERPA. SLDS for K-12 education often include data
related to Federal- and State-funded education programs, such as data
related to assessments, grades, course enrollment and completion,
attendance, discipline, special education status, homeless status,
migrant status, graduation or dropout status, demographics, and unique
student identifiers. Schools and LEAs are the primary collectors of
these data. LEAs report these individual student-level data to the SEA
to meet various requirements, and the data is warehoused in the SLDS.
For Federal K-12 reporting, SEAs report aggregated counts at the
State, local, and school levels for various indicators that are
required for participation in Federal education programs, such as the
number of students participating in and served by Title I. Similarly,
postsecondary institutions are required to complete Integrated
Postsecondary Education Data Systems (IPEDS) surveys if they
participate in or are applicants for participation in any Federal
student financial aid program (such as Pell grants and Federal student
loans). While schools, LEAs, SEAs, and postsecondary institutions
maintain student-level data, what is reported to the Department in
IPEDS and in Federal K-12 reporting is aggregated, at a minimum, at the
institutional level. The Department does not collect PII from education
records outside of its duties that require it, such as administering
student loans and grants, conducting surveys, and investigating
individual complaints.
The Department offers this clarification to address the public
comments that mistakenly interpreted the Department's proposed
regulations as a mechanism to collect sensitive personal data on
individual students at the Federal level, including data elements that
are not related to education, to be used for non-educational purposes.
As discussed later in this preamble, the Department is not legally
authorized to create a national, student-level database, and the
Department has no desire or intention to create a student record data
system at the national level. Thus, the SLDS mentioned in these final
regulations refers to individual States' longitudinal data systems, not
a Federal database.
Commenters interested in understanding more about the data
collections required by the Department should visit the Department's
Web site at http://edicsweb.ed.gov and select the ``Browse Active
Collections'' link.
Changes: None.
Comment: Several commenters expressed concern that the Department's
proposal would create a national database of student PII. One commenter
expressed strong opposition to the establishment of a national database
because of concern that such a database could be used for non-
educational purposes. Another commenter recommended that the Department
publicly affirm that it does not support the establishment of a
national database.
Several commenters indicated that the proposed changes reflected in
the NPRM would permit data sharing and linking of SLDS across State
lines, allowing for the creation of a ``de facto'' national database of
student PII. These commenters expressed concern that interconnected
SLDS would invite substantial threats to student privacy. Another
commenter noted that the prohibition regarding the establishment of a
national database in the ESEA, demonstrated Congress' intent to
prohibit Federal funding of an interconnected SLDS.
Discussion: The Department is not establishing a national database
of PII from education records and we have no intention to do so.
Moreover, neither ESEA nor HEA provides the Department with the
authority to establish a Federal database of PII from education
records. Specifically, ``[n]othing in [ESEA] * * * shall be construed
to authorize the development of a nationwide database''

[[Page 75611]]

of PII from education records. 20 U.S.C. 7911. Likewise, ``nothing in
[HEA] shall be construed to authorize the development, implementation,
or maintenance of a Federal database'' of PII from education records.
20 U.S.C. 1015c(a).
On the other hand, we do not agree with the suggestion that
Congress intended to prohibit States from developing their own SLDS or
linking SLDS across State lines. The right to develop SLDS or link SLDS
across State lines is reserved to the States. Both ESEA and HEA permit
States or a consortium of States to develop their own State-developed
databases. In fact, HEA specifically states that it does not prohibit
``a State or a consortium of States from developing, implementing, or
maintaining State-developed databases that track individuals over time,
including student unit record systems that contain information related
to enrollment, attendance, graduation and retention rates, student
financial assistance, and graduate employment outcomes.'' 20 U.S.C.
1015c(c).
The Department does not agree with those commenters who expressed
concerns that the linking of SLDS across State lines would allow for
the creation of a ``de facto'' national database of student PII. First,
as discussed earlier, States are not prohibited from establishing their
own SLDS or linking SLDS across State lines provided that they do so in
compliance with all applicable laws, including FERPA. Second, if a
consortium of States chose to link their individual SLDS across State
lines, such a system of interconnected SLDS would not be ``national''
because the Federal Government would not play a role in its operation.
Rather, responsibility for operating such a system would lie entirely
with the consortium of States.
Further, Congress made clear in the America COMPETES Act and ARRA
that it supports the development and expansion of SLDS. For example,
title VIII of ARRA appropriated $250,000,000 to the Institute of
Education Sciences to carry out section 208 of the Educational
Technical Assistance Act to provide competitive grants to State for the
development of their SLDS that include early childhood through
postsecondary and workforce information. In addition, section 14005 of
ARRA provides that in order to receive funds under the State Fiscal
Stabilization Fund a State was required to provide an assurance that it
will establish an SLDS that includes the elements described in section
6401(e)(2)(D) of the America COMPETES Act (20 U.S.C. 9871). Consistent
with congressional intent, these activities are only being carried out
at the State level, not through the creation of a Federal database.
These final regulations will help reduce barriers that have hindered
States and consortia of States from developing, implementing, and
maintaining their own SLDS.
Changes: None.

Use of Social Security Numbers

Comment: Several commenters requested clarification on whether
Social Security numbers (SSNs) could be maintained in an SLDS or used
as a linking variable. These commenters stated that they had been
hindered in their efforts to build a robust SLDS by limitations on the
exchange of SSNs. Other commenters suggested that the use of SSNs,
names, and dates of birth be minimized, and that SLDS should instead
create a common identifier that would allow the SEA and its authorized
representative to match student records data without an unnecessary
transfer of SSNs and other identifying information.
Discussion: We understand that data contained within an SLDS cannot
be used effectively without using unique linking variables. Without the
use of linking variables, States would be unable to monitor the
educational progress and experiences of individual students as they
progress through the education system across grade levels, schools,
institutions, and into the workforce.
FERPA does not prohibit the use of a SSN as a personal identifier
or as a linking variable. However, we agree with commenters that the
use of SSNs should be minimized given that SSNs are often used by
criminals for identity theft. The Federal Government itself attempts to
minimize the use of SSNs. See, e.g., Office of Management and Budget
(OMB) Directive M-07-16, ``Safeguarding Against and Responding to the
Breach of Personally Identifiable Information,'' and ``Guidance for
Statewide Longitudinal Data Systems,'' (National Center for Education
Statistics (NCES) 2011- 602). The importance of limiting SSN use is
recognized in FERPA, as schools are prohibited from designating SSNs as
directory information. Hence, while FERPA does not expressly prohibit
States from using SSNs, best practices dictate that States should limit
their use of SSNs to instances in which there is no other feasible
alternative.
Changes: None.

Disclosures Beyond State Lines

Comment: Several commenters sought clarification on whether FERPA
allowed PII from education records to be disclosed across State lines,
noting that there is increased demand to disclose PII from education
records to third parties in other States to make comparative
evaluations of Federal- or State-supported education programs, or to
connect data on students who may be educated in multiple States. For
example, one commenter asked the Department to clarify whether FERPA
would permit postsecondary institutions to disclose PII from education
records, including outcome data back to high schools in another State.
Several stakeholders have raised questions about whether the
proposed regulations would permit the State educational authority in
one State to designate a State educational authority in another State
as its authorized representative to disclose PII from education records
from one authority to the other.
Another commenter recommended that the Department restrict the
disclosure of PII from education records under the audit or evaluation
exception to authorized representatives within a State, or
alternatively limit out-of-State authorized representatives to only
other State educational authorities. Another commenter also asked about
a school's ability to disclose PII from education records to other
countries.
Discussion: FERPA makes no distinctions based on State or
international lines. However, transfers of PII from education records
across international boundaries, in particular, can raise legal
concerns about the Department's ability to enforce FERPA requirements
against parties in foreign countries. It is important to keep in mind
that for a data disclosure to be made without prior written consent
under FERPA, the disclosure must meet all of the requirements under the
exceptions to FERPA's general consent requirement. For example, if the
conditions under the audit or evaluation exception in FERPA are met, a
State educational authority could designate an entity in a different
State as an authorized representative for the purpose of conducting an
audit or evaluation of the Federal- or State-supported education
programs in either State. The disclosure of PII from education records
is not restricted by geographic boundaries. However, disclosure of PII
from education records for an audit or evaluation of a Federal- or
State-supported education program is permitted only under the written
agreement requirements in Sec. 99.35(a)(3) that apply to that
exception. Under these requirements, the disclosing entity would need
to take reasonable methods

[[Page 75612]]

to ensure to the greatest extent practicable that its authorized
representative is in compliance with FERPA, as is explained further
under the Reasonable Methods (Sec. 99.35(a)(2)) section in this
preamble. More specifically, an LEA could designate a university in
another State as an authorized representative in order to disclose,
without consent, PII from education records on its former students to
the university. The university then may disclose, without consent,
transcript data on these former students to the LEA to permit the LEA
to evaluate how effectively the LEA prepared its students for success
in postsecondary education.
Changes: None.

Cloud Computing

Comment: Several commenters sought clarification on whether the
proposed regulations would permit cloud computing, where data can be
hosted in a different State or country. Commenters suggested that the
final regulations not discriminate based on where data are hosted.
Discussion: The Department has not yet issued any official guidance
on cloud computing, as this is an emerging field. We note, however,
that the Federal Government itself is moving towards a model for secure
cloud computing. Regardless of whether cloud computing is contemplated,
States should take care that their security plans adequately protect
student data, including PII from education records, regardless of where
the data are hosted.
Changes: None.

Administrative Burden

Comment: Several commenters predicted an increase in administrative
time and resources needed to comply with the proposed regulations, with
one predicting an ``exponential'' increase. Given the current state of
State budget deficits, several commenters asked the Department to
provide guidance for ways to decrease burden, such as offering
``planning and streamlining administrative processes and tools,'' while
still ensuring the protection of PII from education records.
Discussion: The Department appreciates this suggestion and
acknowledges the current reality of State budget deficits. The
Department believes, however, that regulating the specifics of data
sharing would drive up costs, not reduce them. The Department notes
that the changes reflected in these regulations aim to reduce the
barriers to data sharing while still protecting student privacy. FERPA
regulations themselves also do not require any data sharing by
educational agencies or institutions; these data sharing activities are
voluntary, and may occur at the discretion of educational agencies or
institutions. We recognize that some educational agencies and
institutions may need technical assistance from the Department to help
ensure that their data sharing activities comply with these
regulations, and the Department will help meet this potential need for
SEAs and LEAs.
See the Potential Costs and Benefits, elsewhere in this preamble,
for our estimation of costs associated with these regulations.
Changes: None.

Audit or Evaluation Exception (Sec. 99.35)

General Discussion

Comment: We received many comments supporting the proposed changes
to the audit or evaluation exception. A comment co-signed by two dozen
organizations supported the proposed regulations as the revised
interpretations would permit more opportunities for data analysis by
States, LEAs, schools, and research organizations.
Other commenters generally expressed support for the proposed
changes, asserting that they would increase the ability to evaluate and
improve education programs.
Supporters of the proposed regulations noted that, by reducing
barriers to data sharing, more States would be able to connect their
data systems to drive improvement in K-12 schools. Commenters noted
several specific evaluations that would be possible with the proposed
amendments to the audit or evaluation exception. For example, an
evaluation of college freshmen, who all graduated from the same high
school, may reveal the students needed postsecondary remediation in
math. This information could help the high school improve its math
program.
Likewise, career and technical education (CTE) agencies would be
able to improve program effectiveness by accessing more data with their
collaborative partners in workforce development and other non-
educational agencies that prepare students for college and careers.
Several commenters noted that these changes would allow State
departments of education to assess their CTE programs and meet Federal
accountability requirements in the Carl D. Perkins Vocational and
Technical Education Act of 2006 (Pub. L. 109-270). Those that were
supportive of these amendments stated that the written agreement
requirements were reasonable and would help protect the confidentiality
of the data.
Discussion: The Department agrees with these commenters that these
activities would be permissible under these final regulations.
Changes: None.
Comment: One commenter stated that the Department's proposed change
to remove the requirement in Sec. 99.35(a)(2) that express authority
is required under Federal, State, or local law to conduct an audit,
evaluation, or enforcement or compliance activity would turn a narrow
exception to consent into a ``magic incantation'' that would allow
``unfettered access'' to PII from education records for purposes other
than what Congress intended. Several commenters objected on the grounds
that the proposed change would result in confusion, with educational
institutions struggling to separate real claims of authority from
frivolous or false ones. Finally, a few commenters contended that the
Department lacks the legal authority to make this proposed change.
Discussion: In 2008, we amended Sec. 99.35(a)(2) of the
Department's FERPA regulations to specifically require that legal
authority exist under Federal, State, or local law to conduct an audit,
evaluation, or enforcement or compliance activity. While we imposed no
requirement to identify legal authority for other exceptions, we
explained that we added this requirement to the audit or evaluation
exception because we viewed the educational community as being
significantly confused about who may receive education records without
consent for audit or evaluation purposes under Sec. 99.35. We
explained that ``[i]t [was] not our intention in Sec. 99.35(a)(2) to
require educational agencies or institutions and other parties to
identify specific statutory authority before they disclose or
redisclose PII from education records for audit or evaluation purposes
but to ensure that some local, State or Federal authority exists for
the audit or evaluation, including for example an Executive Order or an
administrative regulation.'' 73 FR 74806, 74822 (December 9, 2008).
In the NPRM, we proposed removing the language regarding legal
authority in Sec. 99.35(a)(2) due to confusion caused by the 2008
regulations. We explained in the preamble of the NPRM that the
authority for a FERPA-permitted entity to conduct an audit, evaluation,
or enforcement or compliance activity may be express or implied. The
intent behind this proposed change was to make clear that Federal,
State, and local

[[Page 75613]]

law determine whether a given audit or evaluation is permitted, not
FERPA.
Based on the comments, however, we are concerned that our
explanation in the NPRM was not sufficiently clear. Certainly, if an
educational agency or institution is concerned that a third party
seeking access to PII from education records is not authorized under
Federal, State, or local law to conduct an audit, evaluation, or
enforcement or compliance activity, that educational agency or
institution should seek guidance from its attorneys or from the State
attorney general if the concern involves the interpretation of State
law. If the concern involves the interpretation of Federal law, the
educational agency or institution should seek guidance from its
attorneys or from the Federal agency that administers the law in
question. FERPA itself does not confer the authority to conduct an
audit, evaluation, or enforcement or compliance activity.
We disagree with the commenters' contention that the Department
lacks legal authority to amend the 2008 regulations. Because the
statute itself does not specifically require that legal authority is
necessary under Federal, State, or local law before an audit,
evaluation, or enforcement or compliance activity may be conducted--and
is, in fact, entirely silent on this issue--we retain the authority,
subject to rulemaking requirements, to remove the language we added in
2008, effectively clarifying that the authority may be either express
or implied. This deletion makes Sec. 99.35(a)(2) consistent with the
rest of the regulations, which do not address legal authority beyond
FERPA.
Changes: None.
Comment: One commenter stated that the Department lacked the
authority to regulate how education records are shared with respect to
programs that are funded by the U.S. Department of Health and Human
Services (HHS). Specifically, this commenter stated the authority to
regulate education records maintained by Early Head Start and Head
Start programs (collectively, ``Head Start'') fell within the exclusive
jurisdiction of HHS and could not be regulated by the Department of
Education. This commenter relied upon a provision in the Head Start Act
that states the:

Secretary [of HHS], through regulation, shall ensure the
confidentiality of any personally identifiable data, information,
and records collected or maintained under this subchapter by the
Secretary or any Head Start agency. Such regulations shall provide
the policies, protections, and rights equivalent to those provided
to a parent, student, or educational agency or institution under
[FERPA].

42 U.S.C. 9836a(b)(4)(A). This commenter also suggested that the
Department and HHS work together to minimize the financial burden of
the proposed regulations on Head Start agencies.
Discussion: We disagree with the commenter's contention that
proposed Sec. Sec. 99.3 and 99.35 would supplant the authority of HHS
as those provisions relate to Head Start; these proposed changes would
not overreach into HHS' ``sphere of activity.'' First, we note that
FERPA applies directly to LEAs that receive funding under a program
administered by the Department, including the Head Start programs that
they operate. Concurrent jurisdiction exists between the Department and
HHS for these Head Start programs. The Department did not propose in
the NPRM that FERPA requirements would apply to Head Start programs not
under the concurrent jurisdiction of the Department and HHS.
Further, under current regulations, SEAs and LEAs receiving funding
under a program administered by the Department--and, therefore, falling
under the Department's exclusive jurisdiction--are unable to disclose
PII from educational records, such as the kindergarten grades of former
Head Start students, to Head Start programs in order to evaluate the
effectiveness of the Head Start programs. These final regulations
permit State and local educational agencies and BIE funded and operated
schools to disclose PII from education records to Head Start programs
for an audit, evaluation, or enforcement or compliance activity. We
believe this change aligns with Congress' stated intention in the
America COMPETES Act and ARRA to link data across all sectors.
Permitting access to student longitudinal data also builds upon the
Department's and HHS' commitment to coordinate programs administered by
State and local educational agencies and BIE funded and operated
schools with early learning programs administered by non-educational
agencies.
Finally, the Department believes that any potential financial
burden on Head Start agencies that may result from these regulations is
outweighed by the elimination of unnecessary barriers to the evaluation
of their programs and the increased flexibility in the operation of
their programs. Nonetheless, the Department is committed to working
with HHS to minimize the financial burden of these regulations should
such an increase in burden actually occur.
Changes: None.
Comment: One commenter asked whether the proposed regulations would
allow an entity that receives PII from education records under the
audit or evaluation exception to redisclose the PII from education
records over the original disclosing entity's objection.
Discussion: In 2008, we amended the FERPA regulations to expressly
permit FERPA-permitted entities to redisclose PII from education
records received under the audit or evaluation exception in certain
conditions. See Sec. 99.33(b)(1) and (b)(2). For example, this change
permitted an SEA to redisclose PII ``on behalf of'' the LEA if the
redisclosure is to another school where the student seeks or intends to
enroll, under Sec. Sec. 99.31(a)(2) and 99.34 and the recordkeeping
requirements in Sec. 99.32(b)(1) or (b)(2) are met.
However, in 2008 we did not clarify that a redisclosure under the
studies exception would be on behalf of an educational agency or
institution if the SEA or other FERPA-permitted entity believed it
would benefit the educational agency or institution.
In the NPRM, we specifically proposed that FERPA-permitted entities
that receive PII from education records under the audit or evaluation
exception be able to redisclose the PII from education records under
the studies exception if all requirements to that exception are met.
For example, a FERPA-permitted entity would be permitted to redisclose
PII from education records under the studies exception in Sec.
99.31(a)(6) if: (1) The FERPA-permitted entity has the express or
implied legal authority to have the study in question conducted, and
(2) the educational agency or institution either agrees to the
redisclosure, in which case the redisclosure would be ``for'' the
educational agency or institution, or the study is designed to improve
instruction, in which case the redisclosure would be ``on behalf of''
the educational agency or institution. Accordingly, a redisclosure may
be ``for'' or ``on behalf of'' of the original disclosing entity even
if that entity objects to the redisclosure. For instance, an SEA
receiving PII from an LEA may redisclose PII ``on behalf of'' the LEA
if the redisclosure is for a study designed to improve the LEA's
instruction. In this example, it would be irrelevant if the LEA
objected to the SEA's redisclosure. FERPA-permitted entities that make
further disclosures of PII from education records under the studies
exception also must comply with the conditions specified in Sec.
99.31(a)(6) and ensure that the recordkeeping requirements in Sec.
99.32(b)(1) or (b)(2) have been met.

[[Page 75614]]

Changes: None.

Definition of ``Education Program'' (Sec. Sec. 99.3 and 99.35)

Comment: Many commenters were supportive of the proposal to define
the term ``education program.'' Many of these commenters commended the
Department's proposal to adopt a broad definition of ``education
program'' because doing so recognizes the fact that education begins
prior to kindergarten and involves programs not administered by State
or local educational agencies. While some commenters expressed concern
that an overly broad definition of ``education program'' would result
in extraneous programs being wrongly allowed access to student PII from
education records, others expressed concern that an overly narrow
definition would hinder legitimate data sharing needed to improve
education programs. One commenter was concerned that the definition
would omit programs many believe are necessary for students to succeed
but may not be ``principally engaged in the provision of education.''
The commenter gave several examples including substance abuse, anti-
bullying, and suicide prevention programs.
Numerous commenters provided other examples of specific programs
and asked the Department to identify if those programs would be
considered an education program under the proposed definition.
Commenters specifically requested clarity about what types of early
childhood programs would be considered education programs. A few
commenters suggested that the Department utilize the HEA definition of
``early childhood education program.''
One commenter suggested that we change ``principally'' to
``primarily'' in the definition of ``education program.'' Another
recommended that the definition include ``transitions from secondary to
postsecondary education.'' We also received the suggestion that we
amend the definition of ``education program'' to specify that the
program must be principally engaged in the provision of education to
students in early childhood through postsecondary.
One commenter requested further clarity regarding who determines
whether a program meets the definition of ``education program'' and how
to handle any potential disputes regarding that determination.
Another commenter suggested that the Department was acting outside
of its legal authority to expand the use of PII from education records
to programs not administered by an educational agency or institution,
and termed it an ``unreasonable interpretation.''
Discussion: The Department has decided to make several changes to
the definition as a result of the comments received. Whether a program
is determined to be an education program should be based on the
totality of the program, and not on whether the program contains a
specific ``incidental educational or training activity within a broader
non-education program,'' as suggested by one commenter. The number of
commenters requesting clarity on which early childhood programs would
be considered education programs under FERPA suggested a real need for
the Department to define the term in the regulations to support
faithful implementation of the FERPA amendments in the field. We agree
with those commenters who suggested that the Department utilize the HEA
definition of ``early childhood education program'' and are adopting
this definition for several key reasons. By adopting a definition
already established by Congress, we are confident that it will provide
the requested clarity. This definition also provides greater
consistency across Federal programs, resulting in more transparency and
less burden.
The final regulations provide that any program administered by an
educational agency or institution is considered to be an education
program. We have made this change to ensure that, in addition to
programs dedicated to improving academic outcomes, this definition
includes programs, such as bullying prevention, cyber-security
education, and substance abuse and violence prevention, when
administered by an educational agency or institution.
It is the Department's intent that the following types of programs,
regardless of where or by whom they are administered, fall under the
new definition of ``education program'': The educational programs
conducted by correctional and juvenile justice facilities or
alternative long-term facilities such as hospitals, dropout prevention
and recovery programs, afterschool programs dedicated to enhancing the
academic achievement of its enrollees, schools for the hearing and
visually impaired, college test tutoring services, and high school
equivalency programs. The following are examples of the types of
programs that will generally be excluded from the definition of
``education program'': Programs that are principally engaged in
recreation or entertainment (such as programs designed to teach
hunting, boating safety, swimming, or exercise), programs administered
by direct marketers, and neighborhood book clubs. These are not all-
inclusive lists; each program will need to be assessed to determine if
it meets this regulatory definition of ``education program'' because it
is principally engaged in the provision of education.
The Department declines to change the word ``principally'' to
``primarily'' in the definition of ``education program'' because we
view these terms as being synonymous and interchangeable. The
Department also declines to explicitly state that transitions from
secondary to postsecondary education are included in the definition,
because any transition program must meet the definition of ``education
program,'' and it may be misleading to list some types of these
programs and not others. The Department further declines to amend the
definition of ``education program'' to require that the education
program be principally engaged in the provision of education to
``students'' in early childhood through postsecondary education.
Explicitly adding ``students'' to the definition would potentially
exclude certain programs that would otherwise fit under this definition
and that the Department intends to include. For example, this change
would be particularly problematic for early childhood education
programs, such as Head Start and IDEA Part C, which refer to their
participants as children and infants or toddlers, respectively, not
students. Head Start and IDEA Part C are explicitly included in the
definition of ``early childhood education program,'' and the Department
refrains from adding language that would contradict this definition and
create confusion for implementation.
FERPA-permitted entities may disclose PII from education records
without obtaining consent in order to conduct an audit, evaluation, or
enforcement or compliance activity. FERPA permits these disclosures to
occur without consent, but FERPA-permitted entities have the discretion
to set their own policies and practices for implementing these
disclosures, including any resolution processes that may be necessary
to handle disputes regarding whether a program meets the definition of
education program.
Finally, we disagree with the commenters who suggested that the
Department lacks the legal authority to define ``education program'' in
a way that would allow authorized representatives to use PII from
education records to evaluate programs not administered by an
educational agency or institution. As discussed elsewhere in greater
detail, the

[[Page 75615]]

Department has broad authority under GEPA to promulgate regulations
that implement programs established by statute and administered by the
Department, including FERPA. In this case, nothing in the statute
itself or its legislative history limits the Department's authority to
define ``education program,'' a previously undefined term.
The new definition of ``education program'' helps to ensure that
the FERPA regulations do not impede States' ability to comply with
ARRA. As discussed in the NPRM, in order to ensure that the
Department's regulations do not create obstacles to States' compliance
with ARRA, the Department sought to find a solution that would give
effect to both FERPA and this more recent legislation by defining the
term ``education program'' to include programs that are not
administered by an educational agency or institution.
The Department's definition of the term ``education program'' is
intended to facilitate the disclosure of PII from education records, as
necessary, to evaluate a broad category of education programs.
The Department's definition of ``education program'' is also
intended to harmonize FERPA and ARRA so as to protect PII from
education records, even where the Department may not have a direct
funding relationship with the recipient of PII from education records.
We believe that the definition of the term ``education program''
sufficiently recognizes those common elements among entities that need
to evaluate education programs and services, regardless of whether the
education programs are funded by the Department.
Changes: In Sec. 99.3, we have added a definition of the term
``early childhood education program.'' In addition, we have revised the
definition of ``education program'' to include any program that is
administered by an educational agency or institution.
Comment: One commenter requested that the Department clarify that
PII from education records disclosed without obtaining consent under
the audit or evaluation exception must be limited to PII related to
educational data, given the wider variety of health information and
other PII included in the school records of students with disabilities.
Discussion: Under the audit or evaluation exception, PII from
education records may be disclosed without consent only to audit or
evaluate Federal- or State-supported education programs, or to enforce
or to comply with Federal legal requirements related to such programs.
If PII from education records related to a student's health is
necessary to evaluate an education program, this information may be
disclosed without obtaining consent, provided all other requirements in
the regulations are met. However, the same information would not be
permitted to be disclosed without obtaining consent to evaluate the
effectiveness of a health program.
Changes: None.

Definition of Authorized Representative (Sec. Sec. 99.3 and 99.35)

Comment: Numerous commenters expressed support for our proposed
definition of the term ``authorized representative.'' Among other
reasons given for support, commenters stated that they were confident
that the definition would facilitate better evaluations or would lead
to an increased ability to conduct evaluations of Federal- and State-
supported education programs. One commenter stated that the proposed
definition was appropriate and necessary and reasonable in scope. One
commenter was especially pleased that an SEA or LEA would have the
ability to designate an individual or entity under the new definition
for the purposes of conducting evaluations. Multiple commenters stated
that the proposed definition would assist SEAs in handling PII
disclosed from education records and in linking it across sectors,
including the education and workforce sectors for the purposes of an
audit, evaluation, or enforcement or compliance activity.
Finally, one commenter stated that FERPA-permitted entities under
Sec. 99.31 should include tribal education agencies (TEAs). This
commenter contended that because FERPA regulations allow for the
disclosure, without consent, of PII from education records to ``State
and local educational authorities'' for audit or evaluation of Federal-
and State-funded education programs, TEAs--the education arms of
sovereign tribal governments--should also be allowed to access PII from
education records without consent.
Discussion: The Department agrees with these commenters that the
definition of the term ``authorized representative'' in the final
regulations will increase the ability of FERPA-permitted entities to
conduct audits or evaluations of Federal- and State-funded education
programs, including those that link PII from education records across
the education and workforce sectors.
As for TEAs, the Department's current interpretation of ``State and
local educational authorities'' does not include them. Although the
Department, as part of its proposal for the reauthorization of ESEA,
supports strengthening the role of TEAs in coordinating and
implementing services and programs for Indian students within their
jurisdiction, we did not propose to define the term ``State and local
educational authorities'' in the NPRM and, therefore, decline to
regulate on it without providing the public with notice and the
opportunity to comment. The Department's interpretation of the term
``State and local educational authorities'' does, however, include BIE.
Changes: None.
Comment: One commenter requested that we clarify the proposed
definition of the term ``authorized representative'' to make it more
similar to the regulatory language currently used in Sec. 99.35(a)(1).
This commenter expressed concern that, in our proposed definition, an
authorized representative could be interpreted to mean an individual or
entity who is engaged only in activities connected to Federal legal
requirements related to Federal or State supported education programs.
The commenter noted that Sec. 99.35(a)(1) addresses both audit or
evaluation activities associated with a Federal- or State-supported
education program, and activities associated with enforcement of, or
compliance with, Federal legal requirements that relate to those
programs. The commenter recommended that we clarify the definition of
the term ``authorized representative'' to align it with Sec.
99.35(a)(1) and make clear that the Federal legal requirement only
modifies the compliance or enforcement activity. Specifically, when
describing the activities an authorized representative can carry out,
the commenter requested we add an ``or'' between the words ``audit''
and ``evaluation,'' as opposed to a comma, and the word ``any'' before
the term ``compliance or enforcement activity.''
Discussion: We intend for our definition of the term ``authorized
representative'' to cover both an individual or an entity engaged in
the enforcement of or compliance with Federal legal requirements
related to Federal- or State-supported education programs, and also to
cover an individual or an entity conducting an audit or evaluation of a
Federal- or State-supported education program. Accordingly, we are
making this clarification in the definition.
Changes: We have made the minor changes suggested by the commenter
to the definition of ``authorized representative''.
Comment: Multiple commenters suggested that the Department exceeded

[[Page 75616]]

its legal authority by proposing to define the term ``authorized
representative.'' While acknowledging that FERPA does not define this
term, these commenters stated that authorized representatives should
only consist of the Comptroller General, the Attorney General, the
Secretary, and State and local educational authorities since FERPA
specifically allows for the disclosure of PII from education records to
these entities. The commenters contended that expanding the definition
beyond the four entities specifically identified in FERPA would be
impermissible and that such a change would require congressional
action. A few commenters pointed to a statement from the preamble to
the final FERPA regulations (73 FR 74806, 74828) published in the
Federal Register on December 9, 2008, in which the Department stated
that ``any further expansion of the list of officials and entities in
FERPA that may receive education records without the consent of the
parent or the eligible student must be authorized by legislation
enacted by Congress.''
Other commenters objected to the rescission of the ``direct
control'' requirement contained in the policy guidance on authorized
representatives issued by then-Deputy Secretary of Education William D.
Hansen in a memorandum dated January 30, 2003 (Hansen Memorandum). The
Hansen Memorandum required that under the ``audit or evaluation
exception,'' an authorized representative of a State educational
authority must be a party under the direct control of that authority,
e.g., an employee or a contractor. Under the Hansen Memorandum, an SEA
or other State educational authority could not disclose PII without
consent from education records to other State agencies, such as a State
health and human services department, a State unemployment insurance
department, or a State department of labor because these State agencies
were not under the SEA's direct control.
Commenters further cited the conclusion in the Hansen Memorandum
that the two references to the word ``officials'' in paragraph (b)(3)
of FERPA reflect a congressional concern that the authorized
representatives of a State educational authority be under the direct
control of that authority. Specifically, commenters relied upon a
December 13, 1974, joint statement in explanation of the Buckley/Pell
Amendment (Joint Statement) that suggested that FERPA ``restricts
transfer, without the consent of parents or students, of PII concerning
a student to * * * auditors from the General Accounting Office and the
Department of Health, Education, and Welfare.'' From this Joint
Statement, these commenters suggested that Congress did not intend for
``authorized representative'' to be defined as broadly.
Commenters also cited several policy reasons for precluding other
entities from serving as authorized representatives of FERPA-permitted
entities, including that this definition would weaken the
accountability of State or local educational authorities and would
allow criminals, repeated privacy violators, and those with dubious
standing to serve as authorized representatives. One commenter
questioned whether individual State politicians or private companies
could be authorized representatives.
One commenter, though supporting our definition of the term
``authorized representative,'' suggested that the definition of the
term was too narrow and should be broadened to include child welfare
agencies and their obligations to monitor the education outcomes of the
children in their care. One commenter challenged the Department's
proposed definition of ``authorized representative'' on the grounds
that it constituted an unlawful sub-delegation of the Department's
statutory authority by vesting the interpretation of FERPA in non-
Federal entities. This commenter cited U.S. Telecom Ass'n v. F.C.C.,
359 F.3d 554, 565 (DC Cir., cert. denied, 543 U.S. 925 (2004), in
support of the position that such delegations are ``improper absent an
affirmative showing of congressional authorization.''
Discussion: It is important to note that FERPA does not define the
term ``authorized representative.'' In the absence of a statutory
definition, the Supreme Court has made it clear that it is appropriate
to ``construe a statutory term in accordance with its ordinary or
natural meaning.'' See, e.g., FDIC v. Meyer, 510 U.S. 471, 476 (1994).
In this case, ``authorize'' is commonly understood to mean to:
``Invest especially with legal authority: EMPOWER * * *.''
``Representative'' is commonly understood to mean: ``* * * standing or
acting for another especially through delegated authority * * *.''
Merriam-Webster's Collegiate Dictionary (11th Ed. 2011).
Following these standard definitions of ``authorize'' and
``representative,'' it is entirely appropriate that we permit State
educational authorities, the Secretary, the Comptroller General, and
the Attorney General to have the flexibility and discretion to
determine who would best be able to represent them in connection with
audits, evaluations, or enforcement or compliance activities.
Restricting their discretion to select only their own officers and
employees or those under their ``direct control'' is not required by
the term's plain, dictionary meaning.
Additionally, we do not find the policy concerns for precluding
other entities from serving as authorized representatives offered by
commenters to be persuasive. While nothing in the final regulations
specifically prohibits a State politician or private company, for
example, from being designated as an authorized representative, the
full requirements under FERPA must be met before PII from education
records may be disclosed to any party. These regulations do not expand
any of the reasons an individual or an entity can be designated as an
authorized representative. As before, it may only be done to conduct an
audit, evaluation, or enforcement or compliance activity. For example,
to authorize a representative to conduct an evaluation, there must be a
written agreement specifying the terms of the disclosure, and PII from
education records may only be used for the purposes specified in the
written agreement; the FERPA-permitted entity authorizing the
evaluation must also take reasonable methods to ensure to the greatest
extent practicable that its authorized representative complies with
FERPA, as is explained in the ``Reasonable Methods (Sec.
99.35(a)(2)),'' section later in this preamble. If an individual or
organization sought access to PII from education records for its own
purpose, disclosure of the PII from education records without consent
would not be permitted under FERPA, and the FERPA-permitted entity must
not authorize the representative or permit the disclosure of PII from
education records without consent. The written agreement operates as a
contract between the FERPA-permitted entity and the authorized
representative, so in the event that an individual or entity misuses
PII from education records for purposes other than those that are
authorized, there would be recourse according to the terms specified in
the written agreement, in addition to any enforcement actions the
Department may take.
Also, we continue to believe that there are good policy reasons to
allow other agencies to serve as authorized representatives of FERPA-
permitted entities. As we explained in the NPRM, we believe that our
prior interpretation of the term ``authorized representative'' unduly
restricted State and local educational authorities from disclosing PII
from education records for the purpose of obtaining data on post-

[[Page 75617]]

school outcomes, such as employment of their former students, in order
to evaluate the effectiveness of education programs. Accordingly, we
believe that our interpretation reflected in these final regulations
reasonably permits State and local educational authorities, the
Secretary, the Comptroller General, and the Attorney General of the
United States to have the necessary flexibility and discretion to
determine who may represent them with respect to audits and evaluations
of Federal- or State-supported education programs and to enforce and to
comply with Federal legal requirements that relate to such programs,
subject to the requirements in FERPA.
Some commenters also appear to have misunderstood the Department's
previous interpretation of the term ``authorized representative'' and
mistakenly assumed that the Department has historically only permitted
employees and contractors of FERPA-permitted entities to serve as
authorized representatives. This is not the case. For instance, prior
to the issuance of the Hansen Memorandum in 2003, the Department
entered into a memorandum of agreement with the Centers for Disease
Control and Prevention (CDC) in which the Department designated the CDC
to serve as its authorized representative for purposes of collecting
information under the Metropolitan Atlanta Developmental Disabilities
Surveillance Program.
Further, prior to the Hansen Memorandum, the Department had
provided guidance that State educational authorities could designate a
State Unemployment Insurance agency as an authorized representative for
the purpose of conducting wage record matches to carry out the
performance reporting requirements of the Workforce Investment Act
(WIA). Memorandum on Application of FERPA to Reporting for Eligible
Training Providers under Title I of WIA from Judith A. Winston,
Undersecretary of the Department of Education, (January 19, 2001).
Further, in the 2008 FERPA regulations, the term ``authorized
representative'' was not limited to employees and contractors of the
FERPA-permitted entities. In the preamble to those regulations, we
wrote:

In general, the Department has interpreted FERPA and
implementing regulations to permit the disclosure of personally
identifiable information from education records, without consent, in
connection with the outsourcing of institutional services and
functions. Accordingly, the term ``authorized representative'' in
Sec. 99.31(a)(3) includes contractors, consultants, volunteers, and
other outside parties (i.e., nonemployees) used to conduct an audit,
evaluation, or compliance or enforcement activities specified in
Sec. 99.35, or other institutional services or functions for which
the official or agency would otherwise use its own employees. For
example, a State educational authority may disclose personally
identifiable information from education records, without consent, to
an outside attorney retained to provide legal services or an outside
computer consultant hired to develop and manage a data system for
education records.

73 FR 74806, 74825 (Dec. 9, 2008).

In other words, since 2008, we have included within the definition
of ``authorized representative'' any outside party used to conduct an
audit, evaluation, or enforcement or compliance activity specified in
Sec. 99.35, or other institutional services or functions for which the
official or agency would otherwise use its own employees. These outside
parties were required to be under the direct control of an SEA pursuant
to the Hansen Memorandum; however, as we discuss in further detail in
the following paragraphs, the Department has decided to eliminate the
Hansen Memorandum's direct control requirement in these final
regulations.
The statement in the preamble to the 2008 final regulations that
``any further expansion of the list of officials and entities in FERPA
that may receive education records without the consent of the parent or
the eligible student must be authorized by legislation enacted by
Congress,'' means that any expansion of the current statutory
exceptions to the consent requirement must be authorized by Congress.
Today's change is not an expansion of the statutory exceptions to the
consent requirement; rather it is a modification of the Department's
interpretation of a term used in one of FERPA's existing statutory
exceptions to consent so as to be consistent with recent developments
in the law.
Moreover, the 2008 FERPA amendments did not provide an exhaustive
or comprehensive list of the exceptions to the written consent
requirement that would permit disclosure to non-educational State
agencies. Rather, we noted that there are ``some exceptions that might
authorize disclosures to non-educational State agencies for specified
purposes'' and listed as examples disclosures made under the health or
safety emergency exception (Sec. Sec. 99.31(a)(10) and 99.36), the
financial aid exception (Sec. 99.31(a)(4)), or pursuant to a State
statute under the juvenile justice exception (Sec. Sec. 99.31(a)(5)
and 99.38). This was not an exhaustive listing of FERPA exceptions to
the general consent requirement that would permit disclosure to non-
educational State agencies. For example, a disclosure without consent
also may be made to non-educational State agencies pursuant to the
exception for lawfully issued subpoenas (Sec. 99.31(a)(9)), but this
was not included in the 2008 preamble.
Even if the preamble to the 2008 final regulations clearly stated
that the officials and agencies listed under Sec. 99.31(a)(3)(i)
through (a)(3)(iv) could not designate non-educational State agencies
as their authorized representatives--which it did not--the Department
still retains the authority to change its interpretation through
notice-and-comment rulemaking, especially in light of recent
legislation. Accordingly, because the term ``authorized
representative'' is not defined in the statute, and the America
COMPETES Act and ARRA have provided evidence of Congressional intent to
expand and develop SLDS to include early childhood, postsecondary, and
workforce information, the Department has decided to change its
interpretation of the term ``authorized representative'' in order to
permit State and local educational authorities, the Secretary of
Education, the Comptroller General, and the Attorney General of the
United States to have greater flexibility and discretion to designate
authorized representatives who may access PII from education records as
needed to conduct an audit, evaluation, or enforcement or compliance
activity specified in Sec. 99.35.
In response to commenters who objected to the rescission of the
Hansen Memorandum's direct control requirement, the direct control
requirement is not found in FERPA and is inconsistent with requirements
of the America COMPETES Act and ARRA. We do not interpret the two
references to the word ``officials'' in paragraph (b)(3) of FERPA as
defining who may serve as an authorized representative of the officials
listed in the exception. This would, in fact, limit those who could
serve as an authorized representative to officials of the heads of
agencies listed, which is inconsistent with the position adopted by the
Hansen Memorandum. Rather, we interpret the word ``officials'' in
paragraph (b)(3) of FERPA as simply a reference back to the four
officials who are listed in the exception: the Secretary, the
Comptroller General, the Attorney General of the United States, and
State educational authorities.
The 1974 Joint Statement stated that ``existing law restricts
transfer, without the consent of parents or students, of personally
identifiable information

[[Page 75618]]

concerning a student to * * * auditors from the General Accounting
Office and the Department of Health, Education, and Welfare * * *'' 120
Cong. Rec. at 39863 (December 13, 1974). FERPA, however, was originally
enacted on August 21, 1974. Thus, the Joint Statement provides little
more than a retrospective narrative background regarding the exception
to consent in 20 U.S.C. 1232g(b)(1)(C) and (b)(3), which already was in
existing law and was not being amended in December 1974. Further, the
Joint Statement only provides a short-hand and incomplete summary of
this exception to consent. Significantly, the Joint Statement omits
many aspects of this then-existing exception, which in addition to
permitting disclosure of PII from education records without consent to
``authorized representatives of'' the Comptroller General and the
Secretary of Health, Education, and Welfare (as referred to in the
Joint Statement) also permitted disclosure without consent to
``authorized representatives of'' ``State educational authorities'' and
``an administrative head of an education agency.'' See section 513 of
Pub. L. 93-380 (August 21, 1974). Further, this then existing exception
to consent permitted disclosure of PII from education records without
consent not only for the conduct of audits by auditors (as referred to
in the Joint Statement), but also for the conduct of evaluations and
the enforcement of Federal legal requirements. Id.
While we support the efforts in the Hansen Memorandum to protect
student privacy, the Hansen Memorandum's direct control requirement
resulted in State and local educational authorities engaging in
convoluted processes to conduct an audit, evaluation, or enforcement or
compliance activity that may serve only to increase costs and lessen
privacy protection. Student privacy can be protected without having to
prohibit disclosure of PII from education records to other entities in
order to conduct an audit, evaluation, or enforcement or compliance
activity. Although increased data sharing may result from our
definition of ``authorized representative,'' it still would only be
permitted under the terms of the exception. To disclose PII from
education records without consent to an authorized representative
(other than an employee), the exception requires written agreements and
the use of reasonable methods to ensure to the greatest extent
practicable FERPA compliance by an authorized representative. Further,
an authorized representative's use of PII from education records is
restricted to audits, evaluations, or enforcement or compliance
activities.
The Department also disagrees that its definition of ``authorized
representative'' constitutes an unlawful sub-delegation of authority to
non-Federal entities. Although U.S. Telecom stands for the proposition
that certain Federal agency sub-delegations are improper, its holding
is inapposite when applied to the Department's definition of the term
``authorized representative'' in Sec. 99.3. Unlike the statutory
language in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) that specifically
identifies authorized representatives of the designated entities as
potential recipients to whom PII from education records may be
disclosed without consent, the authorizing statute at issue in U.S.
Telecom assigned the FCC the specific responsibility of making
impairment determinations:

``* * * the Commission shall consider, at a minimum, whether--
(A) access to such network elements as are proprietary in nature is
necessary; and (B) the failure to provide access to such network
elements would impair the ability of the telecommunications carrier
seeking access to provide the services that it seeks to offer''.

See 47 U.S.C. 251(d)(2). The U.S. Telecom court rejected the FCC's
argument that it possessed the presumptive authority to sub-delegate
its statutory decisionmaking responsibilities to any party absent
congressional intent to the contrary. In this case, however, the
Department is not attempting to delegate its decisionmaking authority
and is only permitting authority for an audit, evaluation, or
enforcement or compliance activity to be delegated to authorized
representatives of FERPA-permitted entities, as Congress specifically
identified in FERPA.
U.S. Telecom is similarly distinguished in Fund for Animals v.
Norton, 365 F. Supp. 2d 394 (S.D.N.Y. 2005), which held that the Fish
and Wildlife Service (FWS) did not act unlawfully by delegating limited
authority over management of cormorant populations to regional FWS and
State wildlife services directors, State agencies, and federally
recognized Indian Tribes. Fund for Animals emphasized that FWS'
delegation was not inconsistent with the statutory requirements and
thus was entitled to deference under the Supreme Court's decision in
Chevron U.S.A. Inc. v. NRDC, 467 U.S. 837 (1984). Id. at 410-11. Unlike
the FCC's wholesale delegation to State commissioners of its statutory
responsibility to make access determinations under 47 U.S.C. 251(d)(2),
the FWS retained ultimate control over the delegates' determinations.
Likewise, in adopting the definition of the term ``authorized
representative,'' the Department is not delegating its statutory
authority to address violations of FERPA under 20 U.S.C. 1232g(f). The
Department is simply delegating the authority to the entities specified
in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) to determine who may serve as
their authorized representatives to conduct an audit, evaluation, or
enforcement or compliance activity. This delegation is premised on
compliance with other statutory and regulatory conditions, in
connection with audits, evaluations, or enforcement or compliance
activities.
Some commenters asked that we expand the definition of the term
``authorized representative'' to include child welfare agencies, to
allow these agencies to monitor the educational outcomes of children
under their care and responsibility. Paragraph (b)(3) of FERPA,
however, does not allow this expansion of the purposes for which PII
from education records may be used by authorized representatives. While
we agree that authorized representatives of State educational
authorities may generally include child welfare agencies, authorized
representatives may only access PII from education records under
paragraph (b)(3) of FERPA in order to conduct audits, evaluations, or
enforcement or compliance activities.
Changes: None.
Comment: One commenter expressed concern about being held
responsible for the disclosure of PII from education records to an
authorized representative over which it does not have direct control,
such as another State agency, if the authorized representative
improperly rediscloses that information. This commenter, therefore,
recommended that the FERPA regulations provide that a State or local
educational authority is not required to comply with FERPA in regard to
PII from education records that it discloses to an authorized
representative over which it does not have direct control. In the
alternative, this commenter requested that the regulations clarify that
a State or local educational authority retains control over the entity
or individual designated as its authorized representative through the
required written agreement to ensure PII from education records is
protected from unauthorized redisclosure.
Discussion: Like any disclosing entity, State or local educational
authorities have an important responsibility to

[[Page 75619]]

protect the privacy of PII from education records. To carry out this
responsibility, a State or local educational authority must use
reasonable methods to ensure to the greatest extent practicable that
its authorized representative is complying with FERPA. A disclosing
State or local educational authority, such as an SEA, also must enter
into a written agreement with its authorized representative that
details the responsibilities of both parties to protect the PII from
education records disclosed to the authorized representative by the
educational authority. If the State or local educational authority,
such as an SEA, does not have confidence that the authorized
representative will meet its responsibilities under the written
agreement to protect PII from education records, the State or local
educational authority should not authorize the individual or entity as
a representative. The Department would be abdicating its responsibility
under FERPA to protect the privacy of PII from education records if we
released a State or local educational authority from responsibility
when it discloses PII from education records to an authorized
representative that is not under its direct control, such as another
State agency.
Changes: None.
Comment: One commenter stated that, because the definition of
``authorized representative'' would allow ``any individual or entity''
to be designated as an authorized representative, the Department
appears to be adopting a position under which an authorized
representative is not required to have a ``legitimate educational
interest'' to receive PII from education records under the audit or
evaluation exception.
Discussion: We believe the regulations clearly articulate that a
FERPA-permitted entity may only disclose PII from education records to
an authorized representative under the audit or evaluation exception if
the authorized representative will use PII from education records for
one of the statutorily-specified purposes, i.e., if it is needed to
conduct audits, evaluations, or enforcement or compliance activities.
We have revised the regulations regarding written agreements between
FERPA-permitted entities and their authorized representatives to
include a requirement that the written agreement establish the policies
and procedures that limit the use of PII from education records to only
authorized representatives for statutorily-specified purposes. If an
authorized representative receives PII from education records for one
of these statutorily-specified purposes, then this constitutes a
legitimate interest in receiving PII from education records. We have
not required that authorized representatives have ``legitimate
educational interests'' in receiving PII from education records, as
suggested by the commenter, because we already require in Sec.
99.31(a)(1) of the current regulations that educational agencies and
institutions must determine that school officials have legitimate
educational interests. Because authorized representatives differ from
school officials and may receive PII from education records only for
statutorily-specified purposes, we refer to the interests of authorized
representatives in receiving PII from education records as ``legitimate
interests.''
Changes: We have revised Sec. 99.35(a)(3)(v) to substitute the
phrase ``authorized representatives with legitimate interests in the
audit or evaluation of a Federal- or State-supported education program
or for compliance or enforcement of Federal legal requirements related
to these programs'' for the phrase ``authorized representatives with
legitimate interests.''
Comment: Some commenters indicated that the proposed definition of
``authorized representative'' should be amended so that authorized
representatives may use PII from education records for any compliance
or enforcement activity in connection with State legal requirements
that relate to Federal- or State-supported education programs, as
opposed to just Federal legal requirements.
Discussion: The Department lacks the statutory authority to make
the requested change to expand the disclosures of PII from education
records permitted without consent to include compliance or enforcement
activity in connection with State legal requirements that relate to
Federal- or State-supported education programs. Specifically, section
(b)(3) and (b)(5) of FERPA only permit the disclosure of PII from
education records, without consent, ``in connection with the
enforcement of the Federal legal requirements'' that relate to Federal-
or State-supported education programs. Accordingly, the Department is
unable to expand the permitted disclosures of PII from education
records to include a compliance or enforcement activity in connection
with State legal requirements.
Changes: None.
Comment: One commenter also requested that, in lieu of the proposed
definition of ``authorized representative,'' we provide that State
agencies or other entities responsible for an education program, as
that term was defined in the NPRM, are educational authorities for the
limited purpose of the administration of their Federal- or State-
supported education programs and that such entities are subject to the
enforcement powers of the Department.
Discussion: We did not propose in the NPRM to define the term
``State and local educational authorities,'' which is used in Sec.
99.31(a)(3). Therefore, we do not believe it is appropriate to define
this term without providing the public with notice and the opportunity
to comment on a proposed definition. Further, we do not agree that
every entity that is responsible for an ``education program'' would be
considered a State or local educational authority. As explained earlier
in the preamble, the Department has generally interpreted the term
``State and local educational authorities'' to mean LEAs, SEAs, State
postsecondary commissions, BIE, or entities that are responsible for
and authorized under State or Federal law to supervise, plan,
coordinate, advise, audit, or evaluate elementary, secondary, or
postsecondary education programs and services in the State. Thus, we
would not consider individual schools or early learning centers to be
State or local educational authorities. Finally, the Department's
enforcement powers with respect to a State or local educational
authority are dependent on whether the educational authority receives
funding under a program administered by the Secretary. If an
educational authority does not receive such funding, then the
Department's only FERPA enforcement measure would be the five-year
rule.
Changes: None.
Comment: Several commenters stated that the Department should adopt
additional remedies or sanctions to hold authorized representatives
accountable.
Discussion: FERPA authorizes the Secretary to pursue specific
remedies against recipients of funds under programs administered by the
Secretary. Congress expressly directed the Secretary to ``take
appropriate actions'' to ``enforce'' FERPA and ``to deal with
violations'' of its terms ``in accordance with [GEPA].'' 20 U.S.C.
1232g(f). In GEPA, Congress provided the Secretary with the authority
and discretion to take enforcement actions against any recipient of
funds under any program administered by the Secretary for failures to
comply substantially with FERPA (or other requirements of applicable
law). 20 U.S.C. 1221 and 1234c(a). GEPA's enforcement methods expressly
permit the Secretary to issue a complaint to compel compliance

[[Page 75620]]

through a cease and desist order, to recover funds improperly spent, to
withhold further payments, to enter into a compliance agreement, or to
``take any other action authorized by law,'' including suing for
enforcement of FERPA's requirements. 20 U.S.C. 1234a, 1234c(a), 1234d,
1234e; 1234f; 34 CFR 99.67(a); see also United States v. Miami Univ.,
294 F.3d 797 (6th Cir. 2002) (affirming district court's decision that
the United States may bring suit to enforce FERPA). Thus, if an
authorized representative receives funds under a program administered
by the Secretary, the Department has the authority to enforce failures
to comply with FERPA under any of GEPA's enforcement methods. If an
authorized representative does not receive funds under a program
administered by the Secretary and improperly rediscloses PII from
education records, then the only remedy available under FERPA against
the authorized representative would be for the Department to prohibit
the disclosing educational agency or institution from permitting the
authorized representative from accessing PII from education records for
a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These
are the only remedies available to the Department to enforce FERPA.
Remedies, such as assessing fines against any entity that violates
FERPA, are not within the Department's statutory authority.
Under the FERPA regulations, and in accordance with its
longstanding practice, the Department only will take an enforcement
action if voluntary compliance and corrective actions cannot first be
obtained. If the violating entity refuses to come into voluntary
compliance, the Department can take the above listed enforcement
actions. However, in addition to these statutorily authorized remedies,
we encourage FERPA-permitted entities to consider specifying additional
remedies or sanctions as part of the written agreements with their
authorized representatives under Sec. 99.35 in order to protect PII
from education records. Written agreements can be used to permit
increased flexibility in sanctions, to the extent that the desired
sanction is permitted under law.
Changes: None.

Reasonable Methods (Sec. 99.35(a)(2))

Comment: Commenters were split on whether it was appropriate to
define ``reasonable methods'' in the regulations. Some commenters
agreed that the Department should not prescribe reasonable methods in
the regulations and welcomed the additional flexibility offered by the
proposed regulations. Others criticized the failure of the proposed
regulations to require specific reasonable methods, contending that the
Department was taking steps to allow more access to PII from education
records but was not taking commensurate steps to prevent misuse of PII
from education records being disclosed. One commenter requested further
clarification on the expected enforcement actions the Department would
take if an LEA or SEA did not use reasonable methods to ensure that its
authorized representatives were in compliance with FERPA before
disclosing PII from education records to them.
Discussion: The Department proposed the reasonable methods
requirement to increase accountability so that FERPA-permitted entities
disclosing PII from education records hold their authorized
representatives accountable for complying with FERPA. FERPA-permitted
entities must monitor the data handling practices of their own
employees. They must also use reasonable methods to ensure FERPA
compliance to the greatest extent practicable by their authorized
representatives. The Department believes that FERPA-permitted entities
should be accorded substantial flexibility to determine the most
appropriate reasonable methods for their particular circumstances. In
other words, what constitutes a reasonable method for ensuring
compliance is not a one-size-fits-all solution; there are numerous
actions a FERPA-permitted entity may take to ensure to the greatest
extent practicable FERPA compliance by its authorized representatives.
Nonetheless, while the Department is granting more flexibility to
determine appropriate reasonable methods given the specific
circumstances of the data disclosure, the Department will consider a
FERPA-permitted entity disclosing PII from education records to its
authorized representative without taking any reasonable methods to be
in violation of FERPA and subject to enforcement actions by the
Department.
It is worth noting that the FERPA regulations already require that
educational agencies and institutions use reasonable methods such as
access controls so that school officials only may access those
education records in which they have a legitimate educational interest.
See Sec. 99.31(a)(1)(ii). The lack of specificity in Sec.
99.31(a)(1)(ii) is appropriate, given variations in conditions from
school-to-school. The Department believes similar flexibility is
appropriate when FERPA-permitted entities disclose PII from education
records to authorized representatives.
While the Department declines to impose specific requirements for
reasonable methods, we are issuing non-regulatory guidance on best
practices for reasonable methods as Appendix A. Variations of the
elements appear in Appendix A as best practices for written agreements.
In the following paragraphs, we provide a summary and discussion of the
various suggestions for reasonable methods the Department received in
response to the NRPM, and discuss whether we consider them best
practices. Please note that Appendix A may also include best practices
that were not mentioned by commenters, but that the Department believes
would result in both increased data and privacy protection.
Reasonable methods are those actions the disclosing FERPA-permitted
entity would take to ensure to the greatest extent practicable that its
authorized representative complies with FERPA. The disclosing FERPA-
permitted entity should generally take most of these actions by
requiring them in its written agreement with its authorized
representative. Many commenters discussed how reasonable methods could
ensure FERPA compliance, but some commenters suggested that these
techniques be required for FERPA-permitted entities in addition to
their authorized representatives. While this is beyond the scope of the
reasonable methods contemplated in the regulations, the best practices
that the Department provides apply equally to other entities as a
starting point for good data governance, the responsible use of data,
and the protection of student privacy.
The Department has already produced several technical briefs that
address many of the suggestions the Department received on reasonable
methods and written agreements: ``Basic Concepts and Definitions for
Privacy and Confidentiality in Student Education Records,'' ``Data
Stewardship: Managing Personally Identifiable Information in Electronic
Student Education Records,'' and ``Statistical Methods for Protecting
Personally Identifiable Information in Aggregate Reporting.'' The
briefs can be found at http://nces.ed.gov/programs/ptac/Toolkit.aspx?section=Technical%20Briefs. The Department is continually
looking to improve the best practices information found in the briefs
and encourages comments and suggestions to be emailed to the Department
at SLDStechbrief@ed.gov. As with the best practices in Appendix A to
this document, these briefs serve as resources for practitioners to
consider

[[Page 75621]]

adopting or adapting to complement the work they are already doing;
they are not one-size-fits-all solutions.
Changes: None.
Comment: One commenter objected to the use of the word ``ensure,''
as it was proposed in Sec. 99.35(a)(2), stating the term was
``unrealistic and misleading'' as nothing could definitively ensure
that FERPA violations would not happen.
Discussion: The Department agrees with the commenter and is
changing the language concerning reasonable methods in Sec.
99.35(a)(2) to clarify that we expect FERPA-permitted entities to be
responsible for using reasonable methods to ensure to the greatest
extent practicable that their authorized representatives protect PII
from education records in accordance with FERPA.
Changes: Section 99.35(a)(2) has been revised to state that FERPA-
permitted entities are ``responsible for using reasonable methods to
ensure to the greatest extent practicable that any entity or individual
designated as its authorized representative'' protects PII from
education records.
Comment: The Department received multiple suggestions on actions a
FERPA-permitted entity should take to verify that its authorized
representative is trustworthy and has a demonstrated track record of
protecting data responsibly. Several comments suggested the need to
verify that an authorized representative has disciplinary policies and
procedures in place to ensure that employees who violate FERPA are
dealt with appropriately, including possible termination of employment.
Others suggested that individuals accessing PII from education records
as authorized representatives should be required to undergo criminal
background checks. A number of commenters suggested that the Department
require verification that the authorized representative has a training
program to teach employees who will have access to PII from education
records about their responsibilities under FERPA. A common suggestion
was to require the authorized representative to verify that it has no
previous record of improperly disclosing PII from education records.
One possible method of corroboration included requiring the authorized
representative to divulge under penalty of perjury, both to the entity
disclosing the data and to the general public, parents, and students,
whether it has violated any written agreements or otherwise
inappropriately disclosed FERPA-protected data. Another suggested
receiving assurances that the authorized representative has no previous
record of improperly disclosing PII from education records and that it
is not currently ``under suspension'' from any State or local
educational authority for inappropriate disclosure of student data.
Multiple commenters also suggested that the Department publish a list
of individuals or entities we found to have violated FERPA and against
which we have taken enforcement actions. Some commenters stated that
reasonable methods should include verifying that the authorized
representative is not on that list published by the Department, while
others suggested that individuals and entities on the list should be
prevented from entering into future written agreements with all other
FERPA-permitted entities, not just the FERPA-permitted entity whose
data were mishandled.
Discussion: The Department agrees that it is vital to verify that
the individual or entity acting as an authorized representative has
proven that it is trustworthy and has policies and procedures in place
to continue that record. While the Department will not mandate any
specific requirements, the best practices for reasonable methods in
Appendix A include:
Verify the existence of disciplinary policies to protect
data. The FERPA-permitted entity may want to verify that its authorized
representative has appropriate disciplinary policies for employees that
violate FERPA. This can include termination in appropriate instances.
Know to whom you are disclosing data. The FERPA-permitted
entity may want to require its authorized representative to conduct
background investigations of employees who will have access to PII from
education records, or it may want to conduct these investigations
itself. Additionally, the FERPA-permitted entity may want to require
its authorized representative to disclose past FERPA or data management
violations. If the FERPA-permitted entity discovers past violations, it
would want to explore the circumstances behind the violation, and
discover all information that would allow it to make an informed
judgment on whether the individual or entity is likely to be a
responsible data steward. This may include discovering whether the
violation was covered up, including if it was voluntarily reported to
affected students or FPCO, and whether appropriate breach response
procedures were followed.
Verify training. The FERPA-permitted entity may want to
verify that its authorized representative has a training program to
teach its employees about FERPA and how to protect PII from education
records, or the FERPA-permitted entity may want to train its authorized
representatives itself.
As these are best practices, it is up to the FERPA-permitted
entities to determine which actions are appropriate based on the
circumstances; it is their responsibility to determine whether their
authorized representatives understand their obligations under FERPA and
whether they are likely to comply with FERPA's requirements. For
example, even if an authorized representative discloses a past FERPA
violation, a FERPA-permitted entity may nonetheless determine that the
circumstances are such that it is still appropriate to disclose PII
from education records to that individual or entity. The disclosing
entity should take all factors into account, including the length of
time since the violation, subsequent good behavior, corrective actions
taken to negate the possibility of any similar future violations, etc.
For the time being, the Department has decided not to implement the
idea of compiling a list of FERPA violators. The Department believes
that a public list of entities that have violated FERPA is an
intriguing idea and will continue to keep this idea in mind and
possibly implement it at a later date.
The Department declines to broaden the requirement that, under the
five-year rule, the authorized representative is prevented only from
receiving PII from education records from the educational agency or
institution that originally disclosed the PII from education records.
The statutory language is clear that the five-year rule only permits
the Department to prohibit further disclosures from the educational
agenc(ies) or institution(s) which maintained the original education
records from which PII was improperly redisclosed.
If an authorized representative is alleged to have violated FERPA,
the Department will also investigate the complaint to determine the
extent to which the disclosing FERPA-permitted entity employed
reasonable methods. The Department's investigation will consider the
reasonable methods taken and the specific circumstances of the
disclosure.
Changes: None.
Comment: Numerous commenters suggested that FERPA-permitted
entities should require their authorized representatives to use
specific data security methods in order to ensure FERPA compliance.
Many commenters provided suggestions for data security methods,
including: Requiring strong encryption, publishing security

[[Page 75622]]

guidelines, instituting dual-key login, preparing formal security
assessments, instituting a security audit program, completing formal
risk assessments, monitoring security events, creating data disposal
procedures, implementing access controls, and monitoring physical
security controls, including what people keep on their desks and
printers. Several commenters stated that the Department should
specifically regulate data security, as HHS does in the Health
Insurance Portability and Accountability Act of 1996 Security Rule, 45
CFR 164.306 et seq.
Discussion: The Department does not believe it is appropriate to
regulate specific data security requirements under FERPA. The
Department believes it is more appropriate to allow for flexibility
based on individual circumstances. In addition, rapid changes in
technology may potentially make any regulations related to data
security quickly obsolete. With the increasing move toward mobile
computing, evolving hacking techniques, and the push toward ever
stronger encryption standards, we believe that it is inadvisable to
establish specific regulations in this area.
Still, the Department recognizes the important need, especially
with the development of SLDS, for authorized representatives to have
strong data security policies and programs in place. Data security is
also an essential part of complying with FERPA as violations of the law
can occur due to weak or nonexistent data security protocols. As such,
the Department is adding the following to its best practices, which are
included as Appendix A to this document:
Verify the existence of a sound data security plan.
The FERPA-permitted entity may wish to verify before disclosing PII
from education records that its authorized representative has a sound
data security program, one that protects both data at rest and data in
transmission. A FERPA-permitted entity has a responsibility to
determine if its authorized representative's data security plan is
adequate to prevent FERPA violations. The steps that the disclosing
entity may need to take in order to verify a sound data security
program are likely to vary with each situation. In some cases, it may
suffice to add language to the written agreement that states what data
security measures are required. In other cases, it may be more prudent
for the FERPA-permitted entity to take a hands-on approach and complete
a physical inspection. Additionally, the FERPA-permitted entity's
written agreements could specify required data security elements,
including requirements related to encryption, where the data can be
hosted, transmission methodologies, and provisions to prevent
unauthorized access.
Changes: None.
Comment: Some commenters suggested that the Department mandate that
FERPA-permitted entities require their authorized representatives to
implement various practices that fall under the rubric of data
governance. Several commenters suggested the addition of various staff
positions as part of a proper data governance strategy. One commenter
suggested that the Department require LEAs to appoint formal FERPA
compliance liaisons who would develop FERPA policies and procedures and
provide professional development to those at the LEA who handle PII
from education records. Another commenter suggested that the FERPA-
permitted entity require the authorized representative to create an
information security office. One commenter recommended, that as data
governance is ultimately the responsibility of everyone in an
organization, that the FERPA-permitted entity should require its
authorized representative to adopt a formal governance plan that
includes all levels of stakeholders, such as management, the policy
team, data providers, and data consumers. The same commenter
recommended that the Department require FERPA-permitted entities to
have a formal communications plan so expectations regarding the
governance plan are known to everyone.
Discussion: The Department declines to regulate specific data
governance requirements, as we prefer to grant FERPA-permitted entities
the flexibility to determine the appropriate elements for their
authorized representatives to include in a comprehensive governance
plan. The Department is adding the following element to the best
practices for reasonable methods in Appendix A:
Verify the existence of a data stewardship program. The FERPA-
permitted entity may want to examine its authorized representative's
data stewardship program. Data stewardship should involve internal
control procedures that protect PII from education records and include
all aspects of data collection--from planning to maintenance to use and
dissemination. The Department believes that a good data stewardship
plan would have support and participation from across the organization,
including the head of the organization, management, legal counsel, and
data administrators, providers, and users. The plan should detail the
organization's policies and procedures to protect privacy and data
security, including the ongoing management of data collection,
processing, storage, maintenance, use, and destruction. The plan could
also include designating an individual to oversee the privacy and
security of the PII from the education records it maintains.
As with data security, it is up to the FERPA-permitted entities to
determine if the authorized representative's data stewardship plan is
sufficient. Depending on the circumstances of the disclosure, this may
include simply adding a description of the data governance plan to the
written agreement or conducting an on-site inspection to ensure the
authorized representative is properly implementing its plan.
Changes: None.
Comment: Multiple commenters suggested ways that reasonable methods
could be used to prevent the authorized representative from improperly
redisclosing PII from education records. Some commenters expressed
concern that there is no bright line rule for how long PII from
education records could be maintained by an authorized representative
before it was required to be destroyed or returned. One commenter
suggested a period of five years should be mandated as the maximum time
PII from education records could be kept. Others expressed the view
that exact timelines for keeping data were not warranted. Some
requested that the Department clarify how PII from education records
can be retained for purposes of long-term analysis.
Several commenters asked the Department to require a formal process
to document the destruction or return of the disclosed PII from
education records, such as a notarized letter, to ensure that both the
disclosing FERPA-permitted entity and the authorized representative are
upholding their responsibilities. Some commenters argued that this type
of process would be ideal as it is often too difficult for the
disclosing FERPA-permitted entity to verify that PII from education
records has in fact been fully destroyed, and that the authorized
representative did not maintain some electronic copy of the PII. If
such a notarized statement were required, one commenter then asserted
that the FERPA-permitted entity making the disclosure be held harmless
if its authorized representative nonetheless maintained a copy of the
data. Others stated that there should be more flexibility, such as
permitting the storage of PII from education records in

[[Page 75623]]

secure archives as opposed to fully returning or destroying it.
The Department also received comments suggesting that we limit the
number or nature of data elements in PII from education records that
can be disclosed or included in an SLDS, including how that data could
potentially be linked to other information. The Department received
comments stating that FERPA-permitted entities should be given the
right to review any document being published by the authorized
representative that uses the disclosed PII from education records to
ensure that proper disclosure avoidance techniques were used to prevent
an unauthorized disclosure. Finally, several commenters requested that
reasonable methods include a provision that would allow the disclosing
FERPA-permitted entity access to the authorized representative's
policies, procedures, and systems to conduct monitoring and audit
activities to ensure the authorized representative is taking all
necessary steps to protect the PII from education records. Some
commenters stated that these audits should be completed by independent
third parties. Other commenters requested that the results of the
audits be disclosed to the public.
Discussion: The Department believes that outlining the time period
that an authorized representative can maintain data for the purpose of
an audit, evaluation, or enforcement or compliance activity is
extremely important, which is why it is one of the minimum required
components of the written agreement (see Sec. 99.35(a)(3)(iv)).
Nonetheless, the Department declines to specify a set period of time in
the regulations for data retention, as the necessary amount of
retention time is highly fact specific. For example, if an SEA is
disclosing PII from education records to an authorized representative
for an evaluation that is expected to take six months, it may be,
depending on the circumstances of the evaluation, reasonable to require
that the authorized representative to destroy the disclosed PII in six
months. If, however, an SEA is disclosing PII from education records to
a regional entity for a longitudinal, multi-year evaluation, the
written agreement might specify that data retention would be reviewed
annually, with data elements being retained or destroyed as
appropriate. The Department believes it is important to leave the
determination of the appropriate time period up to the parties to the
agreement.
The comments about methods for destruction do, however, point out a
potential inconsistency in the NPRM that should be corrected. The NPRM
provided that in some instances data must be destroyed when no longer
needed, and that the data must be returned or destroyed in other
instances. We believe the reference to returning data was more
appropriate in a paper-based environment, and that destroying data is
the more appropriate action when discussing electronic records. An
entity could elect to destroy the data in question by returning the
original file and erasing all versions of the data from its servers.
Accordingly, we have decided to remove the proposed requirements in
Sec. 99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized
representative to return PII from education records to the FERPA-
permitted entity, in lieu of destroying such information, in order to
correct the inconsistency.
While the Department is not regulating on this particular process,
when assessing responsibility, if the Department finds that PII from
education records has not been appropriately destroyed by an authorized
representative, the Department would review all of the reasonable
methods taken by the disclosing FERPA-permitted entity, such as if the
written agreement included a formal process to verify the destruction
of PII from education records.
The Department is not addressing through the FERPA regulations the
number or nature of elements that can be disclosed, included in an
SLDS, or linked to other elements. As stated earlier, FERPA is not a
data collection statute, and it is beyond the scope of the statute to
address these issues in these regulations. So long as all requirements
of FERPA are met, the parties to the agreement have the flexibility to
determine what elements should be disclosed and how they can be
combined with other elements. Still, the FERPA regulations require that
PII from education records may not be used for any purpose other than
the audit, evaluation, or enforcement or compliance activity that
prompted the original disclosure.
It is important that the authorized representative not purposely or
inadvertently redisclose PII from education records inappropriately.
For example, the written agreement could reflect the expectations that
the FERPA-permitted entities have of the authorized representatives
when it comes to making the data public. Methods, such as using
disclosure avoidance techniques or exercising the right to review and
approve any reports using the data before release, can be detailed in
the written agreement to help ensure that unauthorized redisclosures do
not happen.
In addition, the FERPA-permitted entities might wish to maintain
the right to conduct monitoring and audits of the authorized
representative's processes, procedures, and systems. If the FERPA-
permitted entities decide to exercise this right, they should be free
to choose who should conduct the audits or monitoring activities,
whether it is themselves or an external third party, and if the results
should be made public. The Department declines to regulate on this
issue as we do not believe that it will always be necessary to conduct
such audits or monitoring activities. The parties to the data
disclosure agreement can determine if such activity is warranted based
on criteria, such as the scope or duration of the audit, evaluation, or
enforcement or compliance activity.
Based on the discussion in this section, we are including the
following elements in Appendix A as best practices for FERPA-permitted
entities to consider when implementing reasonable methods.
Convey the limitations on the data. A FERPA-permitted
entity should take steps to ensure that its authorized representative
knows the limitations on the use of the data (i.e., that the data is
only to carry out the audit or evaluation of Federal- or State-
supported education programs, or to enforce or to comply with Federal
legal requirements that relate to those programs).
Obtain assurances against redisclosure. A FERPA-permitted
entity should obtain assurances from its authorized representative that
the data will not be redisclosed without permission, including such
assurances that the authorized representative will provide the FERPA-
permitted entity (the disclosing entity) the right to review any data
prior to publication and to verify proper disclosure avoidance
techniques have been used.
Be clear about destruction. A FERPA-permitted entity
should set clear expectations so its authorized representative knows
what process needs to be followed for the proper destruction of PII
from education records.
Maintain a right to audit. A FERPA-permitted entity should
maintain the right to conduct audits or other monitoring activities of
the authorized representative's policies, procedures, and systems.
Disclose only PII from education records that is needed.
When the FERPA-permitted entity considers disclosing PII from education
records to an authorized representative for an

[[Page 75624]]

audit, evaluation, or enforcement or compliance activity, it may want
to explore which specific data elements are necessary for that activity
and provide only those elements. FERPA-permitted entities should take
care to ensure that they are not disclosing more PII from education
records than needed for the stated activity and purpose. FERPA-
permitted entities should also explore whether PII from education
records is actually required, or whether de-identified data would
suffice.
Changes: The Department has removed the proposed requirement in
Sec. 99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized
representative to return PII from education records to the FERPA-
permitted entity, in lieu of destroying such information, in order to
be more consistent with the statute and to correct an inconsistency in
the NPRM.

Written Agreements (Sec. 99.35(a)(3))

Comment: As with reasonable methods, the Department received mixed
comments on the value of the proposed written agreement requirement and
suggestions for how to improve it. One commenter, while approving of
the written agreement provision, expressed concern that the proposed
changes would relieve data recipients of responsibility for actually
implementing protections, theorizing that the agreements would require
only that ``policies and procedures'' be established, rather than the
inclusion of any provisions providing true accountability. Other
commenters requested that the Department provide the flexibility to
FERPA-permitted entities to draft agreements that meet the needs and
requirements of the circumstances of the data disclosures and the
requirements of the relevant State and local laws. One requester asked
the Department to add the phrase ``including but not limited to'' when
referring to the specific requirements of written agreements as laid
out in the NPRM. Several commenters requested further guidance on
written agreements, including asking the Department to provide a model
template. One commenter asked the Department to provide clarity around
why the ``other than an employee'' language is included in the written
agreement requirement. Another commenter requested that the Department
replace the term ``written agreement'' with ``data exchange agreement''
because the commenter believed the ``written agreement'' term is too
vague and ``data exchange agreement'' is the standard information
security term.
Discussion: The Department proposed adding a new Sec. 99.35(a)(3)
to require written agreements when FERPA-permitted entities designate
an authorized representative (other than an employee) under the audit
or evaluation exception. The proposal included several specific
provisions that must be included in written agreements: (1) Designate
the individual or entity as an authorized representative; (2) specify
the information to be disclosed and that the purpose for which the
information is disclosed to the authorized representative is to carry
out an audit or evaluation of Federal- or State-supported education
programs, or to enforce or to comply with Federal legal requirements
that relate to those programs; (3) require the authorized
representative to destroy or return to the State or local educational
authority or agency headed by an official listed in Sec. 99.31(a)(3)
personally identifiable information from education records when the
information is no longer needed for the purpose specified; (4) specify
the time period in which the information must be returned or destroyed;
and (5) establish policies and procedures consistent with FERPA and
other Federal and State confidentiality and privacy provisions to
protect personally identifiable information from education records from
further disclosure (except back to the disclosing entity) and
unauthorized use, including limiting use of personally identifiable
information to only authorized representatives with legitimate
interests.
While the Department agrees that it is vital that written
agreements clearly set forth all parties' obligations with respect to
PII from education records, the Department believes that it would be
inappropriate to be more prescriptive than the specific safeguards and
provisions we are including in these regulations. The Department
believes that it is more appropriate to provide the parties to the
agreements with the flexibility to draft written agreements that meet
the specific needs of the circumstances surrounding the data
disclosure. In addition, the Department defers to State law governing
contracts and written agreements, including the imposition of allowable
sanctions.
While the Department declines to impose additional requirements for
written agreements, the Department is including in Appendix A a summary
of best practices for written agreements. In the following discussion,
we address comments and suggestions the Department received and whether
the Department considers these best practices. Appendix A also includes
best practices that have not been mentioned in the comments, but the
adoption of which the Department believes would result in increased
accountability for all parties to the agreement. At this time the
Department is not providing a model template for a written agreement
but intends to issue one as additional non-regulatory guidance at a
later date. It is also worth noting that the studies exception has had
a requirement for written agreements since 2008. The matters discussed
here logically apply to PII from education records disclosed under both
the studies and audit or evaluation exceptions. It is only through the
use of written agreements that parties can establish legally binding
roles and responsibilities.
We specifically carve out employees from the written agreement
requirements reflected in Sec. 99.35(a)(3) because the Department is
not requiring written agreements when FERPA-permitted entities use
their own employees to conduct audits, evaluations, or compliance or
enforcement activities. Agreements under the audit or evaluation
exception are only necessary when an authorized representative is
selected that is outside of the organization disclosing the data.
Employees have an inherently different relationship with their
employing organization than does an outside entity. It is important
that any organization with access to PII from education records train
its employees about their responsibilities under FERPA, including
proper data governance and data security procedures. We would expect,
therefore, that organizations would establish conditions of employment
for their employees that are consistent with the components required of
written agreements under Sec. 99.35(a)(3) and that violations of those
conditions would result in disciplinary actions, up to and including
termination.
The Department declines to add the suggested ``including but not
limited to'' language when referring to the minimum written agreement
provisions specified in the regulations. The language in the final
regulations, as proposed in the NPRM, reads that the written agreement
must include these provisions but does not indicate that these are the
only provisions that can be included in the written agreement. As such,
the Department believes that the ``including but not limited to''
language is implied and therefore unnecessary.
Likewise, the Department declines to change the term ``written
agreement'' to ``data exchange agreement.'' ``Written agreement'' is a
general term that would include the more specific ``data

[[Page 75625]]

exchange agreement.'' The Department is leaving it up to the discretion
of the parties to the agreement to decide how the agreement may be
termed, whether that be written agreement, contract, memorandum of
understanding, data exchange agreement, or some other term.
Changes: None.
Comment: Several commenters seemed to misinterpret one of the
Department's proposed required components of the written agreement:
``Specify the information to be disclosed and that the purpose for
which the information is disclosed to the authorized representative is
to carry out an audit or evaluation of Federal or State supported
education programs, or to enforce or to comply with Federal legal
requirements that relate to those programs.'' These commenters stated
that the Department was requiring the written agreement to include
``the purposes for which the information is being disclosed.'' Others
noted that anytime PII from education records is shared through one of
the exceptions to the general consent rule under FERPA, the specific
reasons for that disclosure should be clearly stated.
Discussion: The Department originally only proposed that a written
agreement include a statement that the purpose of the disclosure was
for an audit, evaluation, or enforcement or compliance activity. The
NPRM did not include a requirement to describe the details of the
activity or why PII from education records was a necessary component to
the activity. Based on the comments we received, the Department is
revising the regulations to require that written agreements include a
description of the audit, evaluation, or enforcement or compliance
activity.
Changes: Section 99.35(a)(3)(ii)(C) is added to require that the
written agreement include a description of the activity with sufficient
specificity to make clear that the work falls within the exception of
Sec. 99.31(a)(3), including a description of how the personally
identifiable information from education records will be used.
Comment: Several commenters suggested that FERPA-permitted entities
should be required to provide information about PII from education
records being disclosed, such as the data elements being shared and the
purpose of the disclosure, to parents and other stakeholders. Use of a
Web site for this purpose was specifically recommended, particularly
for posting the information on the minimum provisions required for
written agreements. One commenter noted that it was important for the
written agreements to be made available in order for the public to
provide oversight regarding the appropriateness of the data
disclosures.
Discussion: The Department concurs that transparency is important
to ensuring the accountability of all parties. While we decline to
issue regulations requiring it, we suggest that FERPA-permitted
entities post substantive information on their Web sites or in other
public locations about the disclosure of PII from education records,
including the written agreements governing data disclosures and
information about specific projects and uses. As such, we have added
the following to Appendix A as a best practice:
Inform the public about written agreements. Transparency
is a best practice. The FERPA-permitted entity might want to post its
data sharing agreements on its Web site, or provide some equivalent
method to let interested parties know what data it is sharing, the
reasons it is being disclosed, and how it is being protected. While the
Department generally recommends public posting of written agreements,
parties are encouraged to review their contractual data security
provisions carefully and redact, prior to publication, any provisions
that may aid those seeking unauthorized access to systems. In certain
instances a separate confidential IT Security Plan may be appropriate.
Changes: None.
Comment: The Department received multiple suggestions on ways to
increase the legal protections offered by the written agreements.
Several commenters requested that the Department explicitly require
that the written agreements comply with all applicable laws, whether at
the Federal, State, or local level. One commenter specifically
mentioned ensuring compliance with State data security laws and
policies. Several commenters requested the inclusion of provisions that
would ensure that Institutional Review Board (IRB) protocols are in
place and properly implemented. Another commenter requested that the
Department require the written agreement to include a provision
specifying the legal authority for the data disclosure in order to
ensure that anyone disclosing or receiving PII from education records
has the authority to do so. Finally, the Department received many
comments stating that increased accountability over authorized
representatives could be achieved if the Department required that
written agreements have the force of a contract under applicable State
law. Specifically, these commenters strongly urged the Department to
mandate, as a condition of data disclosure, that the written agreements
include contractual safeguards such as liquidated damage provisions for
breach of the agreement and third party beneficiary status for
individuals whose PII from education records is disclosed.
Discussion: The Department agrees with many of the suggestions
included in these comments; however, we decline to incorporate them as
regulatory requirements. Rather, many suggestions have been included as
best practices for written agreements in order to provide FERPA-
permitted entities with the flexibility to craft provisions in the
written agreements that meet their specific needs and the circumstances
of the data disclosures. The Department agrees that the written
agreements must comply with all applicable laws at the Federal, State,
and local levels. This would include any State data security laws. The
Department cannot regulate through FERPA on whether IRB review and
approval is necessary or prudent. On the other hand, if the
circumstances surrounding the audit, evaluation, or enforcement or
compliance activity dictate that IRB involvement is required, it would
be a best practice for the written agreement to reflect that. It should
be noted, however, that the amendments are not intended to supersede
the research regulations under the Common Rule that apply to Federally
funded research of educational data that qualifies as human subject
research. This includes the requirement that the researcher receive a
waiver from an IRB if they intend to conduct research with identifiable
information without consent of the participants.
The Department also agrees that it is sensible to list the express
or implied legal authority that permits the data disclosure and the
audit, evaluation, or enforcement or compliance activity. As stated
elsewhere in this document, FERPA itself does not grant the authority
for these activities, and the existence of this authority is generally
a matter of other Federal, State, and local laws.
In general, the Department agrees with the view that written
agreements should be used, to the extent permissible under applicable
State law, to ensure that authorized representatives (other than
employees) comply with FERPA to the greatest extent practicable. While
the Department believes that there is merit in having written
agreements that clearly set forth all parties' obligations with respect
to FERPA-protected information, the Department believes

[[Page 75626]]

that it would be inappropriate to require that the parties include
specific contractual safeguards. The fact that the authority to enforce
FERPA lies with the Department should not be taken to abrogate the
responsibility that FERPA-permitted entities have to protect PII from
education records. FERPA-permitted entities that are disclosing PII
from education records to authorized representatives (other than
employees) are encouraged to provide for sanctions in their written
agreements, and to enforce those sanctions. The Department believes
that it is appropriate to defer to applicable State laws governing
contracts and written agreements for purposes of safeguarding FERPA-
protected information.
Based on these suggestions, the following is being added to the
best practices listed in Appendix A:
Identify and comply with all legal requirements. It is
important to remember that FERPA may not be the only law that governs a
data sharing agreement. The agreement could broadly require compliance
with all applicable Federal, State, and local laws and regulations, and
identify the legal authority (whether express or implied) that permits
the audit, evaluation, or enforcement or compliance activity.
Mention Institutional Review Board (IRB) review and
approval. While FERPA does not mention IRBs, research proposals
involving human subjects may have to be reviewed and approved by IRBs,
if required under protection of human subject regulations of the
Department and other Federal agencies. If IRB review and approval is
required or expected, this may be noted in the written agreement.
Identify penalties. The agreement could include penalties
under State contract law such as liquidated damages, data bans of
varying length, and any other penalties the parties to the agreement
deem appropriate. The FERPA-permitted entity may want its agreement to
create third-party beneficiary rights, e.g., allowing parties injured
by a data breach to sue for damages. While FERPA itself has little
flexibility for sanctions, the FERPA-permitted entity can include a
wide range of appropriate sanctions in its written agreements.
Changes: None.
Comment: Several commenters suggested that because the disclosure
of PII from education records may create serious risks such as identify
theft, the proposed regulations should require timely notification to
parents and eligible students when their data has been disclosed as a
result of a data security breach. Commenters also suggested that the
written agreement include provisions for the handling of the breach,
such as who would bear the costs associated with notifying those
affected.
Discussion: The Department takes seriously the suggestion that
parents and eligible students should be notified when PII from
education records has been disclosed in violation of FERPA and agrees
that notice should be given when there is a data security breach.
However, the Department declines to impose through the FERPA
regulations specific requirements for breach notification. This will
allow FERPA-permitted entities the requisite flexibility to ascertain
the appropriate responses and approaches to their particular situations
and to comply with any existing Federal, State, or local laws or
regulations governing breach notification.
Good data governance also includes breach notification; every
organization responsible for managing education records that contain
PII should maintain a breach response plan. These plans should provide
specific guidelines for an appropriate and timely response to a breach,
including a clear description of what constitutes a breach, and a
description of the immediate steps to be taken in the event that a
breach is suspected. In particular, there should be a designated person
in the management chain who will be notified in the event of actual or
suspected breaches. When a breach occurs, the designated authority
should conduct an analysis of the likelihood of exposure and potential
harm to affected individuals. This analysis will inform whether
notification is warranted and what its content may be. There should
also be an analysis of the circumstances that resulted in the breach,
so that the system or procedures can be modified as quickly as possible
to avoid further breaches through the same mechanism.
Although the Department is not regulating on breach notification,
the following is being added to the best practices listed in Appendix
A:
Have plans to handle a data breach. While no one
anticipates a data breach, data loss may occur. The FERPA-permitted
entity may wish to include specific procedures in its written
agreements detailing the parties' expectations in the event that PII
from education records is lost, including specifying the parties'
responsibilities with regard to breach response and notification and
financial responsibility.
Changes: None.
Comment: The Department received requests to clarify to whom
breaches of written agreements should be reported.
Discussion: As discussed earlier in this preamble, it is not only
the FERPA regulations that govern what can be included in a written
agreement. As such, it is important to address any remedies that are
also available under State law. Nonetheless, a breach of the provisions
in a written agreement may also constitute a violation of FERPA and
should therefore be reported to FPCO.
Changes: None.
Comment: None.
Discussion: The Department wishes to reduce the implementation
burden of the new written agreement requirement in Sec. 99.35(a)(3) on
FERPA-permitted entities by only requiring that new, renewed, or
amended written agreements with authorized representatives that are
entered into on or after the effective date of the regulations comply
with the new requirement. The written agreement requirement in Sec.
99.35(a)(3) must be adhered to for any new designation of an authorized
representative that is not an employee as of the effective date of
these regulations. As provided in the DATES section of the preamble,
for written agreements that are in place with authorized
representatives prior to the effective date of the regulations, FERPA-
permitted entities must comply with the written agreement requirements
in Sec. 99.35(a)(3) when they renew or amend their agreements.
Changes: None.

Protection of PII From Education Records By FERPA-Permitted Entities
(Sec. 99.35(b)(1))

Comment: None.
Discussion: The Department wishes to make the language used to
refer to FERPA-permitted entities in Sec. 99.35(b)(1) consistent with
the language used to refer to FERPA-permitted entities in Sec. Sec.
99.35(a)(2) and (a)(3).
Changes: We have revised Sec. 99.35(b)(1) so that it uses the
term, ``State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3),'' which is used in Sec. Sec.
99.35(a)(2) and (a)(3).

Disclosures to Organizations Conducting Studies (Sec. 99.31(a)(6))

Comment: A few commenters suggested that FERPA's ``for, or on
behalf of'' requirement in the studies exception contains a significant
limitation. Specifically, these commenters suggested that the exception
prohibits FERPA-permitted entities, such as an SEA, from redisclosing
PII from education records that they received under one of FERPA's
exceptions to the general consent rule,

[[Page 75627]]

for, or on behalf of, the original disclosing educational agency or
institution, such as an LEA, if the original agency or institution
objected to the disclosure. Another commenter asked that we further
amend Sec. 99.31(a)(6) to permit disclosures to organizations
conducting studies for, on behalf of, or in partnership with, or in the
interest of, educational agencies or institutions, as determined by
those agencies or institutions.
Discussion: We disagree that the phrase ``for, or on behalf of''
prohibits a disclosure to which the original disclosing educational
agency or institution objects. Historically, the Department has viewed
the ``for, or on behalf of'' requirement as being based on the unstated
premise that some form of agreement by the original disclosing
educational agency or institution, such as an LEA or postsecondary
institution, was a necessary prerequisite for these types of
disclosure. However, it has become necessary for the Department to
consider whether its interpretation concerning the ``for, or on behalf
of'' language was fully consistent with recently enacted laws.
We have concluded that ``for, or on behalf of'' does not require
the assent of or express approval by the original disclosing
educational agency or institution. For example, it is not necessary for
an SEA to secure the approval of an LEA prior to making disclosures
for, or on behalf of the LEA, so long as the SEA is acting with express
or implied legal authority and for the benefit of the LEA.
The changes to Sec. 99.31(a)(6)(ii) are necessary to clarify that
while FERPA does not confer legal authority on FERPA-permitted entities
to enter into agreements and act as representatives of LEAs or
postsecondary institutions, nothing in FERPA prevents them from
entering into agreements and redisclosing PII from education records
related to studies conducted on behalf of LEAs or postsecondary
institutions under Sec. 99.31(a)(6), provided that the redisclosure
requirements in Sec. 99.33(b) are met. Permissive disclosures of this
type may be made notwithstanding the objection of the LEA or
postsecondary institution so long as the disclosing FERPA-permitted
entity has independent authority to have the study conducted, whether
expressly stated or implied, and makes the disclosure on behalf of the
LEA or postsecondary institution.
We anticipate that the majority of redisclosures made by FERPA-
permitted entities will be made for, or with the approval of, the
original disclosing educational agency or institution. Nevertheless, we
can reasonably foresee instances in which these FERPA-permitted
entities would make redisclosures on behalf of an LEA or postsecondary
institution without obtaining its approval.
For instance, an SEA must have the authority to enter into
agreements with researchers to conduct studies to improve instruction
across LEAs within its own State. Studies such as these can help States
save money and improve student outcomes by identifying effective
practices and targeting limited resources accordingly, while
simultaneously increasing the transparency of taxpayer investments.
Therefore, in order to provide greater flexibility to FERPA-permitted
entities, we interpret the phrase ``for, or on behalf of'' to recognize
both disclosures for the LEA or postsecondary institution that are made
with the approval of the LEA or postsecondary institution and
disclosures made on behalf of the LEA or postsecondary institution that
are made for their benefit in the absence of their approval.
This approach ensures that FERPA-permitted entities have the
necessary latitude to fulfill their statutory and regulatory mandates.
They may conduct studies of publicly funded education programs while
still ensuring that any PII from education records is appropriately
protected. FERPA permits disclosure without consent to an organization
conducting a study ``for, or on behalf of, educational agencies or
institutions'' for statutorily enumerated purposes. 20 U.S.C.
1232g(b)(1)(F). We see no need to deviate from the statutory language
in the regulations and agree that Sec. 99.31(a)(6) permits disclosure
without consent to organizations conducting studies in partnership with
educational agencies or institutions, in which case we would view the
study as being ``for'' the educational agencies or institutions.
Similarly, as explained earlier in this discussion, we also view Sec.
99.31(a)(6) as permitting disclosure without consent to organizations
conducting studies for the benefit of educational agencies or
institutions, in which case we would consider the study to be ``on
behalf of'' educational agencies or institutions.
However, we disagree with the contention that only an educational
agency or institution may make the determination regarding whether a
study is for or on its behalf. Rather, FERPA-permitted entities may
also make the determination that a study is for the benefit of the
original disclosing educational agency or institution. For example, an
SEA may conduct a study that compares program outcomes across its LEAs
to further assess what programs provide the best instruction and then
duplicate those results in other LEAs.
Changes: None.
Comment: None.
Discussion: Upon further review, we decided to remove the proposed
requirement in Sec. 99.31(a)(6)(iii)(C)(4) and the requirement in
Sec. 99.31(a)(6)(ii)(C)(4) of the current regulations that permitted
an organization conducting a study to return PII from education records
to the FERPA-permitted entity, in lieu of destroying such information.
We made these changes so that the regulations are more consistent with
the statute, which requires the destruction of such information, and to
correct an inconsistency in the current and proposed regulations, which
required both the destruction of such information and the return or
destruction of such information. While returning the information to the
originating entity can be a form of destruction so long as the
organization conducting the study also properly erases all PII from
education records that is maintained in electronic format, returning
the information would be insufficient if the PII from education records
is continued to be maintained in electronic format by the organization
conducting the study.
Changes: We have removed the proposed requirement in Sec.
99.31(a)(6)(iii)(C)(4) and the requirement in Sec.
99.31(a)(6)(ii)(C)(4) of the current regulations that permitted an
organization conducting a study to return PII from education records,
in lieu of destroying such information, in order to be more consistent
with the statute and to correct an inconsistency in the current and
proposed regulations.

Directory Information (Sec. Sec. 99.3 and 99.37)

Definition of Directory Information (Sec. 99.3)

Comment: One commenter supported the proposed change to the
definition of ``directory information,'' which clarifies that an
educational agency or institution may designate and disclose as
directory information a student's ID number, or other unique personal
identifier that is displayed on a student's ID card or badge, if the
identifier cannot be used to gain access to education records, except
when used in conjunction with one or more factors that authenticate the
student's identity. We also received numerous comments from a variety
of parties that expressed support for this change.
One commenter suggested that we remove from the definition of
``directory

[[Page 75628]]

information'' the items ``address,'' ``telephone listing,'' and ``date
and place of birth,'' noting that the availability of directory
information jeopardizes students' right to privacy and makes identity
theft easier. Another commenter raised a number of concerns about how
directory information might affect a student who is homeless and
recommended that a student's address not be included in the definition
of ``directory information'' for a student who meets the definition of
``homeless child or youth'' under the McKinney-Vento Homeless
Assistance Act. For a number of reasons, the commenter stated that
disclosing a homeless student's address would be harmful or an invasion
of privacy. A few commenters raised concerns about what they mistakenly
thought was an expansion of the definition of ``directory information''
by including any student ID number, user ID, or other unique personal
identifier used by a student for purposes of accessing or communicating
in electronic systems.
Discussion: We appreciate the support that we received from those
parties who agreed with the clarification we proposed to the definition
of ``directory information,'' and we regret any confusion caused by
including the entire definition in the NPRM. As we explained in the
preamble to the NPRM, we proposed to modify the definition of
``directory information'' only to clarify that under Sec. 99.37(c)(2),
an educational agency or institution may require students to wear or
display ID badges or identity cards that display directory information,
even if the parent or the eligible student opted out of directory
information. The inclusion of a student ID number or other unique
identifier in the definition of ``directory information'' is not new;
we made this amendment in 2008. The NPRM merely proposed to establish
that the student ID number or other unique identifier that we allowed
to be designated as directory information in 2008 could also be
displayed on a student ID card or badge.
With regard to the concerns about including in the definition of
``directory information'' such items as ``address,'' ``telephone
listing,'' and ``date and place of birth,'' we note that these items
have been in the FERPA statute since its enactment in 1974, and any
change to remove these items would require congressional action. We
include these and other items in the regulations, explaining in Sec.
99.37 that an educational agency or institution may disclose directory
information under certain conditions, including the condition that it
notify parents and eligible students of the types of PII from education
records it has designated as directory information. If a school has the
administrative capacity, it may permit parents or eligible students to
opt out of specific items it has designated. However, it has been our
understanding that most schools do not have the administrative capacity
to permit parents and eligible students to opt out of some, but not
all, directory information. Because the disclosure of directory
information is permissive, we have advised schools that they can employ
an all-or-nothing approach to the disclosure of directory information.
That is, a school may provide public notice of the items that it has
designated as directory information and permit parents and eligible
students to opt out of the disclosure of the items as a whole.
With regard to the comment about not designating an address as
``directory information'' for a student who is homeless, as explained
elsewhere, FERPA provides schools with the authority to include or
exclude any items within the definition of ``directory information.''
The definition of ``directory information'' in FERPA is generally a
guideline for schools to use in designating types of information as
directory information. A school is not required to designate all of the
types of information given as examples in FERPA as directory
information. The decision to designate certain types of information as
directory information, such as the student's address, is left to the
discretion of the individual educational agency or institution.
We share the concerns raised by commenters that certain directory
information items may make identity theft easier in our modern
information age. We encourage school officials to be cognizant of this
fact and, if feasible, to work hand-in-hand with parents and eligible
students in their community to develop a directory information policy
that specifically meets their needs and addresses legitimate concerns.
Changes: None.

Student ID Cards and ID Badges (Sec. 99.37)

Comment: Several commenters expressed support for the proposed
amendment in Sec. 99.37(c)(2), which provides that parents and
eligible students may not use their right to opt out of directory
information disclosures in order to prevent an educational agency or
institution from requiring students to wear or otherwise disclose
student ID cards or badges that display information that may be
directory information. One commenter noted that schools can embed
student ID numbers in bar codes or magnetic stripes, as needed, to
avoid any privacy conflicts. A student stated that a university should
be able to require that students wear ID badges on campus in order to
better protect students.
Another commenter recommended that we specify which directory
information can be displayed on a student ID card or badge. Some
commenters asked if there would be any situations in which a student
might be exempted from wearing an ID badge, such as where a student is
the victim of stalking at a large postsecondary institution. Another
commenter expressed concern that including a student ID number as
directory information would have a negative effect on students
receiving services under the Individuals with Disabilities Education
Act (IDEA) and raised concerns about physical safety and protection
from identity theft. The commenter suggested that a student ID number
or other unique identifier that may be displayed on a student ID card
and is designated as directory information should not be used--even in
conjunction with one or more factors that authenticate the user's
identity--to gain access to education records. The same commenter
supported permitting a school to require a student to wear or publicly
display a student ID card or badge that exhibits directory information,
as long as the student ID number cannot be used to gain access to
education records.
A commenter also suggested that we amend this provision to include
other activities for which parents and eligible students cannot opt
out, such as participation in education activities that require sign-in
access to electronic systems. Specifically, the commenter requested
that we add a new requirement stating that a parent or eligible student
could not opt out of directory information disclosures to prevent an
educational agency or institution from disclosing or requiring a
student to disclose the student's name, identifier, or institutional
email address in a class in which the student is enrolled. This would
include access to instruction, curriculum, courses, or other
administrative functions provided online. The commenter stated that the
increased use of electronic systems for both instructional and
administrative activities dictates that the Secretary not differentiate
between these types of activities in which students may opt out. The
commenter asked for these changes to ensure that students are not
allowed to opt out of participation in various classroom or other
instructional activities simply because they have to

[[Page 75629]]

sign on to an electronic system. Another commenter asked that we not
permit the student's picture to be on the student ID. This commenter
also expressed support for permitting parents and eligible students to
have the right to opt out of wearing a student ID badge.
Discussion: We appreciate the support we received concerning this
proposed change. With regard to the comment that we specify the
directory information that can or cannot be displayed on an ID card or
badge (e.g., a student's picture), we do not believe this is
appropriate or necessary. Rather, we believe that educational agencies
and institutions should have the flexibility to make these
determinations best suited to their particular situations. Similarly,
we do not believe that we should require that information displayed on
a student ID card or badge contain only information that cannot be used
to gain access to education records. Student ID numbers, user IDs, and
any other unique personal identifiers may only be included as directory
information if they cannot be used to gain access to education records
except when used in conjunction with one or more other factors that
authenticate the user's identity.
For the same reasons school administrators need the flexibility to
determine what type of information is directory information, they need
to have the flexibility to determine what directory information should
be included on a student ID card or badge. Smaller schools may know
their student population well enough that they may not need to have an
ID number or other unique identifier, while larger LEAs, colleges, and
universities may need to include more information. As one school
official noted, educational agencies and institutions can embed student
ID numbers in bar codes or magnetic stripes to address privacy
concerns, including identity theft. This practice would also address
the apprehension of some commenters that some students may have special
reasons for not wearing ID badges, such as special education students,
younger children, or students who are the victims of stalking. This
amendment to FERPA permits, but does not require, schools to include
directory information on student ID cards and badges or to require
students to wear or display ID cards and badges.
With regard to the request that we include other activities for
which parents and student cannot opt out, such as activities that
require sign-in access to electronic systems for instructional and
administrative activities, we note that this is outside the scope of
the NRPM and, therefore, do not believe it is appropriate to address in
these final regulations.
Additionally, in 2008, we expanded the definition of ``directory
information'' in Sec. 99.3 of the FERPA regulations to include a
student ID number, user ID, or other unique personal identifier used by
the student for purposes of accessing or communication in electronic
systems, if the identifier could not be used to gain access to
education records, except when used in conjunction with one or more
factors to authenticate the user's identity. Further, the 2008
regulation changes clarified the definition of ``attendance'' to
clarify that students who are not physically present in the classroom
may attend an educational agency or institution via videoconference,
satellite, Internet, or other electronic information and
telecommunications technologies.
In 2008, we also amended Sec. 99.37(c) to state that parents or
eligible students may not use their right to opt out of directory
information to prevent a school from disclosing, or requiring the
disclosure of, a student's name, identifier, or institutional email
address in a class in which the student is enrolled. 73 FR 74806
(December 9, 2008). These three provisions are read together to permit
directory information to be used to access online electronic systems
and to prevent opt-out rights from being used to prevent an educational
agency or institution from disclosing or requiring a student to
disclose the student's name, identifier, or institutional email address
in a class in which the student is attending, in either a traditional
or non-traditional classroom setting.
Changes: None.

Limited Directory Information Policy (Sec. 99.37(d))

Comment: A number of commenters expressed support for the proposal
clarifying that an educational agency or institution may have a limited
directory information policy. One commenter stated that this
clarification will provide educational agencies and institutions with
more certainty and control in using directory information for their own
purposes. A few commenters stated that it would be helpful if the
regulations clarified that institutions can have different policies
based on each specific type or subset of directory information, such as
being able to institute a policy that only certain directory
information may be disclosed to specific parties. Some pointed out that
the proposed regulations did not specify whether a school could put
into effect a policy that specifically limits who may not receive
directory information. Two commenters recommended that the regulations
explicitly state that directory information designated by a school may
not be disclosed, except for the limited disclosure to specific
parties, or for specific purposes, or both.
One commenter supported the amendment to permit schools to have a
limited directory information policy, believing this change would help
ensure that school officials do not contact landlords, employers, or
other third parties to discuss a child's housing situation. One
commenter stated that he opposed any changes to the FERPA regulations
that would restrict access to directory information. Another commenter
said that adopting Sec. 99.37(d) as proposed would add confusion and
may raise unnecessary allegations of improper disclosure of directory
information from parents and eligible students. This commenter pointed
out that there is no requirement in FERPA that a school adopt a
directory information policy or disclose directory information even if
it has a policy. One commenter expressed concern that the proposed
changes to the definition of ``directory information'' do not
adequately address the capacity of marketers and other commercial
enterprises to obtain, use, and re-sell student information. The
commenter stated that few parents are aware, for example, that anyone
can request and receive a student directory from a school. The
commenter also stated that States may take action, through legislation,
to tighten restrictions on the use of directory information, perhaps
restricting the disclosure of directory information for marketing
purposes.
A few commenters expressed concern that the proposal to permit
schools to have a limited directory information policy would prevent
the release of information about students to those who have a
legitimate reason for obtaining the information, including the media.
The commenters also expressed concern that withholding directory
information could become a tool for schools to engage in retribution
against disfavored media outlets, social or political causes, or
parental activist groups. The commenters stated that the Secretary
should give detailed guidance to educational agencies and institutions
concerning this change in order to diminish any negative effect that
such policies could have on the free flow of information to the public.
These commenters stated that the effect of the regulatory changes will
be that schools will decide not to disclose directory information to
the media for any reason,

[[Page 75630]]

including publicity or investigations. One of these commenters said
that it was not clear how recipients of directory information would be
chosen, whether the specific parties would be selected by the
institution or by each individual student. This commenter noted that a
limited directory information policy might make it difficult for a
party that was not included in the policy at the beginning of a year
but that needed to do business with the school mid-year to have fair
access to directory information.
A commenter stated that the ability to disclose directory
information for some purposes, but not others, might prove more useful
to educational agencies and institutions that are not subject to a
State open records law than to those that are. Educational agencies and
institutions that are subject to open records laws would be required to
disclose all directory information and would not benefit from a limited
directory information policy. The commenter requested clarification
whether the ability to limit directory information is optional and
whether a failure to institute such a policy would subject the
institution to enforcement proceedings by the Department. Similarly,
another commenter asked for clarification as to whether a school that
chose not to adopt a limited directory information policy may under the
proposed regulations still limit the disclosure of directory
information to whomever they want, and for whatever reason they want,
even though State law may require disclosure.
Finally, a few commenters pointed out that even under a limited
directory information policy, it would not be a violation of FERPA for
a party that received directory information to redisclose it. To
address that issue, some of the commenters supported the idea of a non-
disclosure agreement so that the disclosing school could control any
redisclosures of directory information. However, one commenter stated
that our suggestion in the preamble to the NPRM that schools adopt a
non-disclosure agreement is unrealistic; schools may have difficulty
identifying who may redisclose the information, and schools have no
authority and limited resources to enforce such agreements. This
commenter also stated that making recipients sign such agreements could
be a significant administrative burden for LEAs that receive many
requests for directory information, even if they have adopted a limited
directory information policy.
Discussion: Under FERPA, educational agencies and institutions are
only required to provide access to education records to parents and
eligible students. All other disclosures listed in Sec. 99.31 are
optional. This includes the disclosure of directory information under
Sec. 99.31(a)(11), under the conditions specified in Sec. 99.37.
However, some educational agencies and institutions have advised, and
administrative experience has shown, that State open records laws have
required disclosure of student directory information because, in most
cases, FERPA does not specifically prohibit the disclosure of this
information. It is our understanding that many, if not most, State open
records or sunshine laws require that public entities, such as public
schools, LEAs, and State colleges and universities, disclose
information to the public unless the disclosure is specifically
prohibited by another State law or by a Federal law such as FERPA.
Thus, in practice, while FERPA only requires schools to disclose PII
from education records to parents or eligible students, State sunshine
laws may require the public release of properly designated directory
information from which parents and eligible students have not opted
out.
With regard to the commenter who asked whether a school that
chooses not to adopt a limited directory information policy could still
limit the disclosure of directory information if its State law required
the disclosure, FERPA permits the disclosure of directory information
but it does not require it. Some States have State open records laws
that may require the disclosure of directory information if a school
has a directory information policy and the parent or eligible student
has not opted out.
We believe that the FERPA regulations will better assist
educational agencies and institutions in protecting directory
information if an educational agency or institution that adopts a
limited directory information policy limits its directory information
disclosures only to those parties and purposes that were specified in
the policy. To clarify, this regulatory scheme gives each school the
option of limiting its directory information disclosures and does not
subject a school to enforcement proceedings by FPCO if the school
elects not to limit disclosure to specific parties or for specific
purposes, or both.
With regard to the recommendations by commenters that the
regulations explicitly state that directory information not be
disclosed except to specific parties or for specific purposes, we do
not believe this change is necessary. As noted, neither the disclosure
of directory information nor the adoption of a limited directory
information policy is required by the regulations. The regulations make
clear that if a school chooses to adopt a limited directory information
policy, then it must limit its directory information disclosures to
those specified in its public notice.
With regard to concerns expressed by commenters about directory
information being released to entities for marketing purposes, a school
has the flexibility to allow or restrict disclosure to any potential
recipient. For example, a limited directory information policy may be
expressed in a negative fashion, indicating that the school does not
disclose directory information for marketing purposes. While Congress
has not amended FERPA to specifically address disclosure of directory
information to companies for marketing purposes, Congress amended
section 445 of GEPA, commonly referred to as the Protection of Pupil
Rights Amendment (PPRA) in 2001 to address this issue. Public Law 107-
110, Sec. 1061.
Under PPRA, LEAs are required to work in consultation with parents
to develop and adopt a policy governing the collection, disclosure, or
use of personal information collected from students for the purpose of
marketing or for selling that information (or otherwise providing that
information to others for those purposes). The policy must include
arrangements to protect student privacy in the event of such
collection, disclosure, or use. LEAs are also required to notify
parents of students of any activities that involve the collection,
disclosure, or use of personal information collected from students for
the purpose of marketing or selling that information (or otherwise
providing that information to others for those purposes) so that
parents may opt their child out of participation in those activities.
20 U.S.C. 1232h(c)(1)(E) and (c)(2). While PPRA does not generally
apply to postsecondary institutions, understanding and complying with
its requirements for LEAs should address some of the commenters'
concerns about this matter.
With regard to the fact that we did not propose to amend the FERPA
regulations to prevent third parties that receive directory information
from further disclosing it, we do not believe that it is realistic to
make such a change. By its nature, directory information is intended to
be publicly shared. Congress included the disclosure of properly
designated directory information as an exception to the general consent
requirement in FERPA so that schools may make disclosures of the type
of information generally not

[[Page 75631]]

considered harmful or an invasion of privacy, such as information on
students that would normally be found in a school yearbook or
directory. It is not administratively practicable to take action
against a third party that rediscloses directory information. For
example, it would be virtually impossible to control how student
information contained in a yearbook is distributed to others.
Therefore, we believe that schools are in the best position to
determine who should receive directory information and, should they
choose, implement a limited directory information policy.
With regard to the commenter who stated that adopting the limited
directory information provision in the regulations would add confusion
and possibly raise unnecessary allegations of improper disclosure from
parents and eligible students, we do not believe this is the case. On
the contrary, the option to have a limited directory information policy
should better protect against improper disclosures of PII from
education records and reduce the number of complaints in this regard.
With regard to our recommendation that schools adopting a limited
directory information policy consider entering into non-disclosure
agreements to restrict the information from being further disclosed, we
agree that this will not always be feasible. Clearly there are
situations in which a school could not have a non-disclosure agreement,
such as when it publishes directory information in a school yearbook, a
sports event program, or a program for a school play. Schools will have
to exercise judgment with respect to whether to utilize non-disclosure
agreements to prevent further disclosure of directory information by
assessing the circumstances surrounding the disclosure of the directory
information.
Finally, we note that the regulatory change to allow educational
agencies and institutions to implement a limited directory information
policy was not specifically intended to address how schools interact
with or disclose directory information to members of the media. Rather,
we were addressing concerns raised by school officials who, alarmed
about the increase in identity theft, expressed a need to protect the
privacy of students' directory information. We encourage school
officials to act responsibly in developing a limited directory
information policy and to keep in mind routine disclosures that schools
need to make in the normal course of business, including providing
properly designated directory information to the media about various
student activities and extracurricular pursuits of students.
Changes: None.

General Enforcement Issue (Sec. 99.67)

Comment: Several commenters stated that the Department lacks the
legal authority to investigate, review, process, or enforce an alleged
FERPA violation committed by recipients of Department funds under a
program administered by the Secretary that students do not attend.
These recipients include but are not limited to, SEAs, nonprofit
organizations, student loan lenders, and guaranty agencies.
Specifically, the commenters stated that nonprofit organizations,
guaranty agencies, and lenders could not be considered educational
agencies or institutions under FERPA because these organizations have
no students in attendance. In addition, some commenters argued that as
financial institutions, student loan lenders, servicers, and guaranty
agencies are already subject to numerous Federal laws that require them
to protect PII from education records, making them subject to FERPA
would not effectively increase protection.
Discussion: The Department disagrees with the comment that it does
not have the legal authority to take enforcement actions against
entities that receive Department funding under a program administered
by the Secretary that students do not attend. Section (f) of FERPA
provides that the Department shall take appropriate actions to enforce
and deal with violations of provisions in FERPA in accordance with
GEPA. 20 U.S.C. 1232g(f). However, as we discussed in the preamble to
the NPRM (76 FR at 19733), the current regulations do not clearly
describe the entities against which we may take actions under section
(f) of FERPA. Accordingly, the Department believes that it is necessary
to clarify in these new regulations that FPCO has the authority to hold
these entities responsible for FERPA compliance, given the disclosures
of PII from education records that are needed to implement SLDS. We
believe this clarification is necessary in light of recent developments
in the law.
In addition, in order for the Department to appropriately
investigate, process, and review complaints and alleged violations of
FERPA, the Department proposed in Sec. 99.60(a)(2) to take a more
expansive view of the term ``educational agency or institution.'' The
expanded definition would include entities that do not necessarily have
students in attendance but still receive Department funding under a
program administered by the Secretary and which, nevertheless, are in
possession and control of PII from education records.
The Department continues to believe that it is necessary to use its
broad enforcement powers to ensure that FERPA's protections apply to
these recipients. The Department has decided, however, not to define in
Sec. 99.60(a)(2) all recipients of Department funding under a program
administered by the Secretary as ``educational agencies and
institutions'' in the context of the enforcement provisions, as was
reflected in proposed Sec. 99.60(a)(2), because it is evident from the
comments that the terminology is confusing. We have decided instead to
revise Sec. Sec. 99.61 through 99.67, which set out FERPA's
enforcement procedures. These amendments authorize the Department to
investigate, process, and review complaints and violations of FERPA
alleged to have been committed by educational agencies and
institutions, as well as other recipients of Department funds under any
program administered by the Secretary (e.g., State educational
authorities, such as SEAs, and State postsecondary agencies, local
educational authorities, nonprofit organizations, student loan guaranty
agencies, and student loan lenders). Because these entities receive PII
from education records, we believe that this change is justified in
order to protect against improper redisclosure of PII from education
records.
In the case of an improper redisclosure of PII from education
records by a non-profit organization, lender, servicer, or guaranty
agency that is a recipient of Department funds under a program
administered by the Secretary and that received PII from education
records from an institution of higher education, the Department will
enforce sanctions against the responsible party, whether that be the
non-profit organization, lender, servicer, or guaranty agency. The
Department, however, may also pursue enforcement measures against the
institution of higher education, depending on the circumstances. In
addition, we are not convinced that other confidentiality laws that
apply to financial institutions provide the same protections as FERPA.
Although the confidentiality laws cited by the commenters address
privacy generally, they are not specifically designed to protect the
confidentiality of student education records. Moreover, while the
Secretary can take steps to enforce FERPA directly, we may need to rely
on other Federal and State agencies to enforce these other
confidentiality laws identified by the commenters.

[[Page 75632]]

Changes: The Department has decided not to adopt the change
proposed in Sec. 99.60(a)(2), which would have provided, solely for
purposes of enforcement of FERPA under 34 CFR part 99, subpart E, all
recipients of Department funds under a program administered by the
Secretary as ``educational agencies and institutions.'' Rather, the
Department has decided to amend Sec. Sec. 99.61 through 99.67 to
clarify FPCO's enforcement responsibilities. Specifically, we revised
these sections to clarify that FPCO may investigate, review, and
process complaints filed against, or alleged violations of FERPA
committed by, any recipient of Department funds under a program
administered by the Secretary--not just educational agencies and
institutions--and may hold any such recipient accountable for
compliance with FERPA.
Comment: One commenter asked that we clarify which enforcement
tools legally available to the Secretary would be utilized in actions
against State and local educational authorities and other recipients of
Department funding under a program administered by the Secretary.
Four commenters requested that the Department adopt more
significant penalties, including incarceration and substantial fines,
for FERPA violations caused by authorized representatives. Another
commenter stated that the Department should sanction an entity that
makes an unauthorized disclosure by requiring the entity to surrender
all PII from education records already in its possession. Several
commenters stated that other privacy statutes include significant
sanctions and that FERPA requires a similar deterrent to prevent
violations of student privacy.
Discussion: In FERPA, Congress expressly directed the Secretary to
``take appropriate actions'' to ``enforce'' FERPA and ``to deal with
violations'' of its terms ``in accordance with [GEPA].'' 20 U.S.C.
1232g(f).
In GEPA, Congress provided the Secretary with the authority and
discretion to take enforcement actions against any recipient of funds
under any program administered by the Secretary for failures to comply
substantially with any requirement of applicable law, including FERPA.
20 U.S.C. 1234c(a). GEPA's enforcement methods expressly permit the
Secretary to issue a complaint to compel compliance through a cease and
desist order, to recover funds improperly spent, to withhold further
payments, to enter into a compliance agreement, or to ``take any other
action authorized by law,'' including suing for enforcement of FERPA's
requirements. 20 U.S.C. 1234a, 1234c(a), 1234d; 1234e; 1234f; 34 CFR
99.67(a); see also United States v. Miami Univ., 294 F.3d 797 (6th Cir.
2002) (affirming the district court's decision that the United States
may bring suit to enforce FERPA). Therefore, the Secretary will use one
or a combination of these enforcement tools as is appropriate given the
circumstances. Additionally, the Department has the authority to impose
the five-year rule against any entity that FPCO determines has violated
FERPA either through an improper redisclosure of PII from education
records or through its failure to destroy PII from education records
under the studies exception. (See discussion of five-year rule later in
this preamble).
With respect to the suggestion that we create additional penalties,
the Department lacks the statutory authority to incarcerate violators,
impose fines, or force a third party to surrender all PII from
education records currently in its possession because the Department
lacks the statutory authority to do so.
Changes: None.
Comment: One commenter requested that the Department clarify that
``non-school entities'' are only required to comply with FERPA to the
extent they have received FERPA-protected PII from education records
from an educational agency or institution.
Discussion: The Department would only take actions against ``non-
school entities'' that have not complied with FERPA requirements that
relate to PII from education records they received under one of the
exceptions to FERPA's general consent requirement. The Department has
no authority under FERPA to take actions for other PII these entities
may possess.
Changes: None.
Comment: A commenter suggested that other parties beyond those
enumerated in the statute (i.e., eligible parents and students) should
have standing to file complaints with FPCO. Further, this commenter
suggested that the Department should increase the amount of time a
complainant has to file a complaint with FPCO.
Discussion: We decline to expand the entities eligible to file
complaints with FPCO beyond parents and eligible students and decline
to increase the amount of time a complainant has to file a complaint
with FPCO beyond 180 days of the date of the alleged violation (or of
the date that the complainant knew or reasonably should have known of
the alleged violation). We did not propose these changes in the NPRM
and therefore cannot make these changes in these final regulations
without allowing an opportunity for further public comment and review.
Still, it is important to note that FPCO can initiate an investigation
on its own, without receiving a complaint, to address other violations.
Changes: None.
Comment: One commenter asked us to consider expanding the scope of
our enforcement procedures to apply to tax exempt organizations under
26 U.S.C. 501(c) that students do not attend and that are not the
recipients of Department funds but that have PII from education
records.
Discussion: If a tax exempt organization under 26 U.S.C. 501(c) has
PII from education records, but is not a recipient of funds under a
program administered by the Secretary, then the Department would not
have the authority under GEPA to take enforcement measures against such
an organization. FPCO, however, may impose, under 20 U.S.C.
1232g(b)(4)(B) and new Sec. 99.67(c), (d), and (e), the five-year rule
against any entity that FPCO determines has violated FERPA either
through an improper redisclosure of PII from education records received
under any of the exceptions to the general consent rule or through the
failure to destroy PII from education records under the studies
exception. (See discussion of five-year rule later in this preamble.)
For instance, if an LEA's authorized representative does not
receive funding from the Department and violates FERPA due to poor data
security practices, FPCO could apply the five-year rule by prohibiting
the disclosing LEA from providing PII from education records to the
authorized representative for at least five years. If the disclosing
LEA refuses to comply and continues its relationship with the
authorized representative, FPCO could, under GEPA, terminate funding to
the LEA.
Changes: None.
Comment: One commenter asked that we clarify how the enforcement
measures would apply if a contractor of an entity that received funding
under a program administered by the Department violated FERPA's
requirements. The commenter wanted to know, for example, what the
liability of a school would be if its contractor violated FERPA.
Discussion: Whether the Department would take enforcement action
against a contractor that violates FERPA under a program administered
by the Secretary, depends upon the exception to FERPA under which the
contractor received the PII from education records, if the contractor
was a recipient of Department funds, and the

[[Page 75633]]

circumstances of the violation. If the contractor was a recipient of
Department funds and violated FERPA, the Department could take
sanctions as permissible under GEPA. If the contractor was not a
recipient of Department funds and improperly disclosed PII from
education records received under any of the exceptions to the general
consent rule or failed to destroy PII from education records in
accordance with the requirements of the studies exception, the
Department could implement the five-year rule. (See discussion of the
five-year rule later in this preamble.)
Likewise, the Department may also take enforcement action against
the entity that disclosed PII from education records to the contractor.
For example, if the contractor was acting as an authorized
representative of a FERPA-permitted entity and violated FERPA, FPCO
would investigate and review whether the disclosing entity met all of
its obligations under FERPA, such as taking reasonable methods to
ensure to the greatest extent practicable the FERPA compliance of the
contractor. FPCO could take applicable GEPA enforcement actions against
the disclosing entity, if it did not meet its responsibilities.
If the contractor received PII from education records while acting
as a school official under Sec. 99.31(a)(1)(i)(B), then the
educational agency or institution would be liable for the contractor's
FERPA violation and is subject to GEPA enforcement actions by the
Department. In any of these instances, FPCO would initiate an
investigation and seek voluntary compliance before imposing any
sanctions.
Changes: None.

Five-Year Rule (Sec. 99.67)

Comments: Many commenters raised questions about the provision in
FERPA that prohibits an educational agency or institution from
disclosing PII from education records to a third party ``for a period
of not less than five years'' if that third party improperly
rediscloses PII from education records received under any of the
exceptions to the general consent rule or fails to destroy PII from
education records under the studies exception. 20 U.S.C.
1232g(b)(4)(B).
Multiple commenters appeared to believe that the Department was
proposing the five-year rule for the first time in the NPRM and
questioned whether the Department had the legal authority to implement
such a rule. One commenter specifically opposed the rule on the grounds
that it was inconsistent with the statute and that changes in the law
should be made through a legislative amendment and not rulemaking.
Discussion: To clarify, the Department did not propose the five-
year rule for the first time in the NPRM; rather, Congress amended
FERPA in the Improving America's Schools Act of 1994, Sec. 249, Public
Law 103-382, to provide that if a ``third party outside the educational
agency or institution'' improperly rediscloses FERPA-protected data
that it received under any of the exceptions to the general consent
rule or fails to destroy information under the studies exception, then
the educational agency or institution ``shall be prohibited from
permitting access to information * * * to that third party for a period
of not less than five years.'' 20 U.S.C. 1232g(b)(4)(B).
The Department amended its regulations to implement this statutory
change in 1996. 61 FR 59292 (November 21, 1996). The Department's
current regulations in Sec. 99.31(a)(6)(iv) and Sec. 99.33(e), taken
together, provide that if FPCO determines that a third party outside
the educational agency or institution improperly rediscloses PII from
education records in violation of Sec. 99.33 or fails to destroy PII
from education records in violation of Sec. 99.31(a)(6)(ii)(B), then
the educational agency or institution may not provide that third party
access for a minimum period of five years.
Still, based upon the confusion expressed by commenters regarding
the five-year rule, we are changing the final regulations to
consolidate all regulatory provisions relating to the five-year rule
into one section of the regulations, Sec. 99.67. This is not a
substantive change, but it is one intended to improve comprehension and
promote ease of use because we believe it will be helpful for readers
to see all of the regulatory language concerning the five-year rule in
a single regulatory section.
Changes: We are removing the existing two provisions in Sec.
99.31(a)(6)(iv) and Sec. 99.33(e) regarding the five-year rule and
consolidating all provisions relating to the five-year rule into Sec.
99.67.
In addition, we are changing the language that we proposed in Sec.
99.35(d) that stated that in the event that FPCO finds an improper re-
disclosure of PII from education records, ``* * * the educational
agency or institution from which the [PII] originated may not allow the
authorized representative, or the State or local educational authority
or the agency headed by an official listed in Sec. 99.31(a)(3), or
both, access to [PII] from education records for at least five years.''
65 FR 19738 (April 8, 2011). Specifically, we are replacing
``authorized representative, or the State or local educational
authority or the agency headed by an official'' in proposed Sec.
99.35(d) with ``the third party'' in the final regulation. Similarly,
we are also consolidating the text of proposed Sec. 99.35(d) into
Sec. 99.67, the enforcement section.
Comment: Many commenters asked which entities were subject to the
five-year rule. Some of these commenters expressed concern that the
rule would be enforced against an entire educational agency or
institution acting as a third party, such as a State university system,
and asked whether the rule could be applied in a more limited manner
against an individual researcher or department within the educational
agency or institution, arguing, for example, that if an individual
researcher is at fault, it would be excessive to prohibit an entire
organization from receiving PII from education records for a period of
not less than five years.
At the same time, others were equally emphatic that the rule must
apply to the entire educational agency or institution acting as a third
party to have any enforcement effect or to deter potential violations.
Consequently, many of these commenters asked how the Department would
define an educational agency or institution acting as a third party.
One commenter recommended that the five-year rule only be applied
against an educational agency or institution acting as a third party
that was expressly responsible for the unauthorized redisclosure of PII
from education records. Another commenter wanted the Department to
clarify whether FERPA-permitted entities could be subjected to the
five-year rule due to an unauthorized redisclosure of PII from
education records made by the FERPA-permitted entity's authorized
representative.
Discussion: The statute and current Sec. Sec. 99.31(a)(6)(iv) and
99.33(e), taken together, are clear that any third party outside of the
educational agency or institution that improperly rediscloses PII from
education records received under any of the exceptions to the general
consent rule or fails to destroy PII from education records as required
under current Sec. 99.31(a)(6)(ii)(B) may be subjected to the five-
year rule. We understand a ``third party'' to refer broadly to any
entity outside of the educational agency or institution from which the
PII from education records was originally disclosed and may include an
authorized representative. In other words, authorized representatives

[[Page 75634]]

make up a subset of the larger set of third parties outside the
educational agency or institution from which the PII from education
records was originally disclosed. Any individual or entity to which PII
from education records is disclosed without consent by an educational
agency or institution under Sec. 99.31(a), except for disclosures
under Sec. 99.31(a)(1) to school officials because they are within the
educational institution or agency, is a third party.
The NPRM proposed adding a third regulatory provision to Sec.
99.35 in order to implement the five-year rule more specifically in the
context of an improper redisclosure of PII from education records by
FERPA-permitted entities or by their authorized representatives (which
are third parties). As explained in the NPRM, the Department sought to
clarify that FPCO could impose the five-year rule against FERPA-
permitted entities, their authorized representatives, or both. Under
the final regulations, the provisions of the five-year rule apply to
all improper redisclosures by third parties outside of the educational
agency or institution from which PII from education records was
originally disclosed. These third parties include FERPA-permitted
entities or their authorized representatives, whether they obtained PII
from education records under the studies exception, the audit or
evaluation exception, or any other exception to the requirement of
consent in Sec. 99.31(a) (other than Sec. 99.31(a)(1), which applies
to disclosures to school officials who are within the educational
institution or agency).
The five-year rule also applies to all third parties that fail to
destroy PII from education records in violation of the studies
exception in Sec. 99.31(a)(6). By contrast, the statute does not
specifically authorize the Department to apply the rule against a third
party for failure to destroy PII from education records under the audit
or evaluation exception or for other inappropriate activities that
affect privacy beyond the improper redisclosure and the failure to
destroy PII from education records in violation of the studies
exception in Sec. 99.31(a)(6), as discussed earlier. However, FERPA-
permitted entities are free to include sanctions for other
inappropriate activities that affect privacy as part of their written
agreements with third parties and authorized representatives.
Changes: None.
Comment: Many commenters requested clarification regarding how the
five-year rule would be implemented and specifically requested a
detailed explanation regarding who could enforce the rule, how the rule
would be applied, and whether those sanctioned would have a right to
appeal. Several commenters asked how much discretion educational
agencies and institutions would have to either bar third parties or
authorized representatives under the five-year rule or to modify the
length of the debarment depending upon the circumstances.
Several commenters asked how much discretion the Department would
have when applying the five-year rule. Some expressed concern that the
Department would apply the five-year rule automatically after a single
unauthorized redisclosure of PII from education records by a third
party. One commenter expressed concern that the Department would apply
the rule like a ``zero tolerance'' policy.
Concerned about the severity of the five-year rule, many commenters
requested an opportunity to come into compliance with approved best
practices and methods for data protection as an alternative to an
immediate application of the five-year rule. One commenter suggested
remediation as an alternative to the five-year rule to help a third
party with the process of voluntary compliance.
Another commenter asked the Department to amend the regulations to
apply the five-year rule only when there are repeated, unauthorized
redisclosures of PII from education records or when the parties
responsible for the unauthorized disclosure are grossly negligent. Some
of these commenters suggested that we take into account the level or
magnitude of the improper redisclosure. One commenter suggested that
the regulations should be modified to recognize that in today's
technological environment, it is not feasible to require absolute
compliance.
Finally, a few commenters asked whether debarment under the five-
year rule ``follows'' an individual who has been debarred from one
employer to the individual's next employer. These commenters also asked
whether debarment attaches to a third party even if the individual who
is found to be responsible for an improper redisclosure of PII from
education records leaves the employment of that third party.
Discussion: Some commenters appeared to have misunderstood the NPRM
as proposing that an individual school or LEA would have the authority
to impose the five-year rule against a third party, such as an SEA or a
Federal agency headed by an official listed in Sec. 99.31(a)(3), in
the event of an improper redisclosure by that third party. This is
incorrect--only FPCO has the authority to impose the five-year rule
against third parties that FPCO determines have violated either the
redisclosure provisions of Sec. 99.33 or the destruction requirements
of Sec. 99.31(a)(6)(iii)(B). In other words, only FPCO has the
authority to implement the five-year rule to prohibit an educational
agency or institution from providing a third party with access to
FERPA-protected data.
When making such a determination, FPCO, consistent with its
longstanding practice, will investigate allegations of third parties
improperly redisclosing PII from education records under Sec. 99.33 or
failing to destroy data under Sec. 99.31(a)(6)(iii)(B). If FPCO were
to find a FERPA violation, then it would first attempt to bring the
offending third party into voluntary compliance. As suggested by one
commenter, FPCO may use remediation as a tool to bring the third party
into voluntary compliance. For instance, if FPCO were to investigate
and determine that a third party had failed to timely destroy data,
FPCO could work with the third party conducting the study to implement
an appropriate destruction policy. If FPCO were unable to bring the
offending third party into voluntary compliance, then FPCO would have
the discretion to prohibit the educational agency or institution from
allowing that third party access to PII from education records for a
period of at least five years. In deciding whether to exercise this
discretion and which third parties should be banned, FPCO will consider
the nature of the violation and the attendant circumstances. One factor
FPCO will consider is whether the third party has repeatedly
redisclosed PII from education records improperly, which will make it
more likely that the FPCO will apply the five-year rule. The Department
believes that outlining this detailed process here provides adequate
clarification of FPCO's enforcement procedures.
Moreover, as discussed in more detail earlier in this preamble,
FPCO is not limited to the five-year rule in the enforcement actions it
may take; it also has the discretion to consider whether it would be
more appropriate to apply GEPA enforcement mechanisms against those
third parties receiving Department funds. Accordingly, the five-year
rule is not a ``zero tolerance'' policy, as suggested by one commenter,
and FPCO would not apply the rule without considering the facts of each
particular situation, as some commenters feared.
As for whether a third party would be able to appeal a decision
made by FPCO to prohibit an educational agency or institution from
disclosing PII from

[[Page 75635]]

education records to that third party, no such appeal right exists.
Under current Sec. 99.60(b)(1), only FPCO has the authority to
``[i]nvestigate, process, and review complaints and violations under
the Act * * *.'' FPCO also retains complete authority to enforce the
five-year rule, and its decisions are final. However, FPCO's
investigative process would provide ample opportunity for the party
being investigated to have FPCO consider all relevant facts and
circumstances before making a decision.
Importantly, the fact that FPCO must find a violation before the
five-year rule may be enforced does not relieve educational agencies
and institutions or FERPA-permitted entities of their responsibility to
protect PII from education records. As discussed earlier, we encourage
FERPA-permitted entities that are redisclosing PII from education
records to third parties to include sanctions in their written
agreements with their third parties and authorized representatives, and
to enforce those sanctions. FERPA-permitted entities, and their
authorized representatives, may agree to any sanctions permissible
under applicable law. For instance, written agreements could call for
monetary penalties, data bans of varying length, or any of the range of
civil penalties that the disclosing entity believes is appropriate. The
Department encourages the use of these agreed-upon sanctions to ensure
control and proper use of PII from education records.
Finally, depending upon the specific facts of the situation,
debarment may ``follow'' an individual who has been sanctioned under
the five-year rule from one employer to another. Further, debarment
would likely not remain attached to a third party if it is determined
that only the debarred individual was responsible for the improper
redisclosure of PII from education records, the debarred individual
leaves the third party's employment, and the improper redisclosure was
not caused by a policy of the third party. It is important to note,
however, that such determinations are highly fact specific and the
Department will review each situation case by case.
Changes: We are amending Sec. Sec. 99.61, 99.62, 99.64, 99.65,
99.66 and 99.67 of the FERPA regulations. These changes provide more
detailed procedures governing the investigation, processing, and review
of complaints and violations against third parties outside of an
educational agency or institution for failing to destroy PII from
education records in violation of Sec. 99.31(a)(6)(iii)(B) or for
improperly redisclosing PII from education records in violation of
Sec. 99.33.
Comment: Several commenters provided general support for the five-
year rule as a means to enforce FERPA. One commenter stated that five
years is an appropriate time period for such a violation, and another
stated that substantial consequences are a must and that debarment
would be an appropriate remedy for FERPA violations.
Other commenters found this sanction insufficient to adequately
protect privacy and called for more extensive and harsher penalties.
One commenter requested that other penalties be developed out of a
concern that the five-year rule would not be used frequently enough to
deter egregious and flagrant violations of FERPA. Several commenters
requested that the Department apply the rule more broadly. For example,
one commenter stated that the Department should sanction other
inappropriate activities that affect privacy besides improper
redisclosures, including, but not limited to, ``using records for an
improper purpose; examining individual records without justification *
* * and not allowing access to or correction of records when
appropriate.''
Still others expressed concern that the Department would apply the
five-year rule too broadly. One commenter suggested limiting the scope
of the prohibition to PII from education records used for the purposes
of conducting studies and not necessarily for other purposes related to
the provision of products, services, and other functions.
Discussion: The Department lacks the legal authority to expand the
enforcement mechanisms available under FERPA beyond those discussed in
this preamble and therefore declines to include harsher penalties such
as those requested by a number of commenters. For the same reason, we
cannot expand the list of ``inappropriate activities'' that may be
sanctioned under the five-year rule beyond improper redisclosures under
Sec. 99.33 and the failure to destroy PII in violation of Sec.
99.31(a)(6)(iii)(B). The five-year rule is clear that it only applies
to improper redisclosures of PII received under any of the exceptions
to the general consent rule and the failure to destroy PII from
education records under the studies exception.
The Department also declines to limit the scope of the prohibition
to the purpose of conducting studies and not necessarily for other
purposes related to the provision of products, services, and other
functions. Section (b)(4)(B) of FERPA (20 U.S.C. 1232g(b)(4)(B))
provides that the five-year rule applies to any improper redisclosure
made by any third party and not just to an improper redisclosure made
by a third party conducting research under the studies exception. Thus,
the final regulations include a third regulatory provision, reflected
in Sec. 99.67(d), that describes the five-year rule as it applies
specifically in the context of the audit or evaluation exception.
Section 99.67 states that in the context of the audit or evaluation
exception, where the FERPA-permitted entities and any of their
authorized representatives are third parties, the five-year rule could
be applied against the FERPA-permitted entities, an authorized
representative thereof, or both.
Changes: None.
Comment: Another commenter requested that the regulations be
changed to prohibit the offending third party from requesting PII from
education records from the disclosing educational agency or institution
in the future rather than placing the burden on the educational agency
or institution to deny access.
Discussion: The Department cannot prohibit a third party who has
violated FERPA from requesting PII from education records from an
educational agency or institution. The five-year rule clearly states
that it is the duty of the educational agency or institution that
originally disclosed the PII from education records to the third party
to prevent further disclosure to the same third party. Still, the five-
year rule does not prohibit all educational agencies and institutions
from disclosing PII from education records to the offending third
party; as made clear by the statute, the prohibition only applies to
the educational agency or institution that originally disclosed PII
from education records to that third party.
Changes: None.
Comments: Some expressed concern that under the five-year rule,
educational agencies and institutions, such as LEAs, would be
prohibited from disclosing PII from education records to third parties,
such as SEAs, if these third parties improperly redisclosed FERPA-
protected data that they received from the educational agency or
institution. The commenters expressed concern that Federal and State
education laws require LEAs to share data with SEAs in order to qualify
for Federal and State education funds.
Another commenter expressed a similar concern that an institution
of higher education might be prohibited from offering Federal financial
aid to its students if the Department itself were responsible for the
improper redisclosure. In the commenter's example, the institution of
higher education would be unable to make data

[[Page 75636]]

disclosures needed to process Federal and State loans, if the five-year
rule were applied to the Department.
Discussion: The Department would interpret the five-year rule
consistently with other Federal laws to the greatest extent possible in
order to avoid a conflict between Federal laws. If imposition of the
five-year rule would prevent an LEA from complying with other legal
requirements, FPCO may sanction the offending SEA using an enforcement
mechanism that is available to the Department under GEPA, such as
issuing a cease and desist order, thereby allowing the LEA to meet its
other legal obligations.
Similarly, in response to those commenters who expressed a concern
that subjecting the Department to the five-year rule would prevent
institutions of higher education from providing student information to
the Department's Federal Student Aid (FSA) office, the Department will
administer FERPA in a reasonable manner and read it consistently with
Federal laws governing student financial aid. Like any other third
party outside of an educational agency or institution, FSA, or any
other office in the Department that receives PII from education
records, must also comply with FERPA; if FPCO found that FSA, or any
other third party, violated the redisclosure provisions in FERPA, FPCO
would then work with that third party to obtain voluntary compliance
with FERPA, potentially eliminating the need to impose the five-year
ban.
Changes: None.
Comment: One commenter expressed concern about existing contracts
and written agreements being violated because of an application of the
five-year rule regarding a separate and unrelated improper redisclosure
of PII from education records by an authorized representative.
Discussion: The Department disagrees that application of the five-
year rule will automatically result in a debarred third party from
complying with its obligations under other pre-existing contracts or
written agreements. If FPCO were to find that application of the rule
was warranted, the regulations would prohibit only the original,
disclosing educational agency or institution from providing PII from
education records to the third party. Furthermore, this prohibition
would only occur if the third party refused to work with FPCO to
voluntarily comply with FERPA.
Changes: None.
Comment: Two commenters noted what they perceived to be a conflict
between the language used in the statute (and the preamble of the NPRM)
regarding the five-year rule and the language in current regulations.
Although the statute states that the original, disclosing educational
agency or institution ``shall be prohibited'' from permitting an
offending third party to access PII from education records for at least
five years, the regulations state that the disclosing educational
agency or institution ``may not'' allow the third party access to PII
from education records. One commenter preferred to use the terms ``may
not'' instead of ``shall be prohibited'' because ``may not'' suggested
greater flexibility in how the five-year rule would be applied.
Discussion: We disagree that a conflict exists between the language
contained in the statute and current regulations regarding the five-
year rule. Specifically, we consider the terms used in the regulations
(``may not'' allow access) to have the same meaning as the language
used in the statute (``shall be prohibited'' from permitting access).
Changes: None.

Executive Order 12866 and 13563

Regulatory Impact Analysis

Under Executive Order 12866, the Secretary must determine whether
the regulatory action is ``significant'' and therefore subject to the
requirements of the Executive Order and subject to review by OMB.
Section 3(f) of Executive Order 12866 defines a ``significant
regulatory action'' as an action likely to result in regulations that
may (1) have an annual effect on the economy of $100 million or more,
or adversely affect a sector of the economy, productivity, competition,
jobs, the environment, public health or safety, or State, local or
tribal governments or communities in a material way (also referred to
as ``economically significant'' regulations); (2) create serious
inconsistency or otherwise interfere with an action taken or planned by
another agency; (3) materially alter the budgetary impacts of
entitlement grants, user fees, or loan programs or the rights and
obligations of recipients thereof; or (4) raise novel legal or policy
issues arising out of legal mandates, the President's priorities, or
the principles set forth in the Executive order.
Pursuant to the terms of the Executive Order, we have determined
this regulatory action is significant and subject to OMB review under
section 3(f)(4) of Executive Order 12866. Notwithstanding this
determination, we have assessed the potential costs and benefits--both
quantitative and qualitative--of this regulatory action. The Department
believes that the benefits justify the costs.
The Department has also reviewed these regulations pursuant to
Executive Order 13563, published on January 21, 2011 (76 FR 3821).
Executive Order 13563 is supplemental to and explicitly reaffirms the
principles, structures, and definitions governing regulatory review
established in Executive Order 12866. To the extent permitted by law,
agencies are required by Executive Order 13563 to: (1) Propose or adopt
regulations only upon a reasoned determination that their benefits
justify their costs (recognizing that some benefits and costs are
difficult to quantify); (2) tailor their regulations to impose the
least burden on society, consistent with obtaining regulatory
objectives, taking into account, among other things, and to the extent
practicable, the costs of cumulative regulations; (3) select, in
choosing among alternative regulatory approaches, those approaches that
maximize net benefits (including potential economic, environmental,
public health and safety, and other advantages; distributive impacts;
and equity); (4) specify, to the extent feasible, performance
objectives, rather than specifying the behavior or manner of compliance
that regulated entities must adopt; and (5) identify and assess
available alternatives to direct regulation, including providing
economic incentives to encourage the desired behavior, such as user
fees or marketable permits, or providing information upon which choices
can be made by the public.
We emphasize as well that Executive Order 13563 requires agencies
``to use the best available techniques to quantify anticipated present
and future benefits and costs as accurately as possible.'' In its
February 2, 2011, memorandum (M-11-10) on Executive Order 13563,
improving regulation and regulatory review, the Office of Information
and Regulatory Affairs in OMB has emphasized that such techniques may
include ``identifying changing future compliance costs that might
result from technological innovation or anticipated behavioral
changes.''
We are issuing these regulations only upon a reasoned determination
that their benefits justify their costs, and we selected, in choosing
among alternative regulatory approaches, those approaches that maximize
net benefits. Based on the following analysis, the Department believes
that these final regulations are consistent with the principles in
Executive Order 13563.
We also have determined that this regulatory action would not
unduly interfere with State, local, and tribal governments in the
exercise of their governmental functions.

[[Page 75637]]

Potential Costs and Benefits

Following is an analysis of the costs and benefits of the changes
reflected in these final FERPA regulations. These changes facilitate
the disclosure, without written consent, of PII from education records
for the purposes of auditing or evaluating Federal- or State-supported
education programs and enforcing or ensuring compliance with Federal
legal requirements related to these programs. In conducting this
analysis, the Department examined the extent to which the changes add
to or reduce the costs of educational agencies, other agencies, and
institutions in complying with the FERPA regulations prior to these
changes, and the extent to which the changes are likely to provide
educational benefit. Allowing data-sharing across agencies, because it
increases the number of individuals who have access to PII from
education records, may increase the risk of unauthorized disclosure of
PII from education records. However, we do not believe that the staff
in the additional agencies who will have access to PII from education
records are any more likely to violate FERPA than existing users, and
the strengthened accountability and enforcement mechanisms reflected in
these regulations will help to ensure better compliance overall. While
there will be administrative costs associated with implementing data-
sharing protocols that ensure that PII from education records is
disclosed in accordance with the limitations in FERPA, we believe that
the relatively minimal administrative costs of establishing these
protocols will be off-set by potential analytic benefits. Based on this
analysis, the Secretary has concluded that the amendments reflected in
these final regulations will result in savings to entities and have the
potential to benefit the Nation by improving capacity to conduct
analyses that will provide information needed to improve education.

Authorized Representative

These regulations amend Sec. 99.3 by adding a definition of the
term ``authorized representative;'' an authorized representative is any
individual or entity designated by a State or local educational
authority or a Federal agency headed by the Secretary, the Comptroller
General, or the Attorney General to carry out audits, evaluations, or
enforcement or compliance activities relating to education programs.
FERPA permits educational authorities to provide to authorized
representatives PII from education records for the purposes of
conducting audits, evaluations, or enforcement and compliance
activities relating to Federal- and State-supported education programs.
However, in the past, we had not defined the term ``authorized
representative'' in our regulations. The Department's position had been
that educational authorities may only disclose education records to
entities over which they have direct control, such as an employee or a
contractor. Therefore, under the Department's interpretation of its
regulations, SEAs were not able to disclose PII from education records
to many State agencies, even for the purpose of evaluating education
programs under the purview of the SEAs. For example, an SEA or LEA
could not disclose PII from education records to a State employment
agency for the purpose of obtaining data on post-school outcomes such
as employment for its former students. Thus, if an SEA or LEA wanted to
match education records with State employment records for purposes of
evaluating its secondary education programs, it would have to import
the entire workforce database and do the match itself (or contract with
a third party to do the same analysis). Similarly, if a State workforce
agency wanted to use PII from education records maintained by the SEA
in its SLDS, in combination with data it had on employment outcomes, to
evaluate secondary vocational education programs, it would not be able
to obtain PII from the education records in the SEA's SLDS to conduct
the analyses. It would have to provide the workforce data to the SEA so
that the SEA could conduct the analyses or to a third party (e.g., an
entity under the direct control of the SEA) to construct the needed
longitudinal administrative data systems. While feasible, these
strategies force agencies to outsource their analyses to other agencies
or entities, adding administrative cost, burden, and complexity.
Moreover, preventing agencies from using PII from education records
directly for conducting their own analytical work increases the
likelihood that the work will not meet their expectations or get done
at all. Finally, the previous interpretation of the current regulations
exposed greater amounts of PII from education records to risk of
disclosure as a result of greater quantities of PII from education
records moving across organizations (e.g., the entire workforce
database) than would be the case with a more targeted data request
(e.g., disclosure of PII from education records for graduates from a
given year who appear in the workforce database). These final
regulations allow FERPA-permitted entities to disclose PII from
education records without consent to authorized representatives, which
may include other State agencies, or to house data in a common State
data system, such as a data warehouse administered by a central State
authority for the purposes of conducting audits or evaluations of
Federal- or State-supported education programs, or for enforcement of
and ensuring compliance with Federal legal requirements relating to
Federal- and State-supported education programs (consistent with FERPA
and other Federal and State confidentiality and privacy provisions).
The Department also amends Sec. 99.35 to require that FERPA-
permitted entities use written agreements with an authorized
representative (other than employees) when they agree to disclose PII
from education records without consent to the authorized representative
under the audit or evaluation exception. The cost of entering into such
agreements should be minimal in relation to the benefits of being able
to disclose this information. Section Sec. 99.35(a)(3) requires that
the written agreement specify that the information is being disclosed
for the purpose of carrying out an allowable audit, evaluation, or
enforcement or compliance activity, as well as a description of the
activity and how the disclosed information is to be used.

Education Program

The final regulations amend Sec. 99.3 by adding a definition for
the term ``education program.'' This definition clarifies that an
education program can include a program administered by a non-
educational agency (e.g., an early childhood program administered by a
human services agency or a career and technical education program
administered by a workforce or labor agency) and any program
administered by an educational agency or institution. These final
regulations also define the term ``early childhood education program,''
because that term is used in the definition of ``education program.''
For the definition of the ``early education program,'' we use the
definition of that term from HEA.
These definitions, in combination with the addition of the
definition of the term ``authorized representative,'' results in a
regulatory framework for FERPA that allows non-educational agencies to
have easier access to PII in student education records that they can
use to evaluate the education programs they administer. For example,
these changes permit disclosures of PII in

[[Page 75638]]

elementary and secondary school education records without consent to a
non-educational agency that is administering an early childhood
education program in order to evaluate the impact of its early
childhood education program on its students' long-term educational
outcomes. The potential benefits of these regulatory changes are
substantial, including the benefits of non-educational agencies that
are administering education programs, as that term is defined in these
regulations, being able to conduct their own analyses without incurring
the prohibitive costs of obtaining consent for access to individual
students' PII from education records.

Research Studies

Section (b)(1)(F) of FERPA permits educational agencies and
institutions to disclose PII from education records without consent to
organizations conducting research studies for, or on behalf of,
educational agencies or institutions from which the PII from education
records originated, for statutorily-specified purposes. The amendment
to Sec. 99.31(a)(6) permits any of the authorities listed in Sec.
99.31(a)(3), including SEAs, to enter into written agreements that
provide for the disclosure of PII from education records to research
organizations for studies that would benefit the educational agencies
or institutions that disclosed the PII to the SEA or other educational
authorities. The preamble to the final FERPA regulations published in
the Federal Register on December 9, 2008 (73 FR 74806, 74826) took the
position that an SEA, for example, could not redisclose PII from
education records that it obtained from an LEA to a research
organization unless the SEA had separate legal authority to act for, or
on behalf of, the LEA (or other educational institution. Because, in
practice, this authority may not be explicit in all States, we are
amending Sec. 99.31 to specifically allow State educational
authorities, which include SEAs, to enter into agreements with research
organizations for studies that are for one or more of the enumerated
purposes under FERPA, such as studies to improve instruction (see Sec.
99.31(a)(6)(ii)). The Department believes that this regulatory change
will be beneficial because it will reduce the administrative costs of,
and reduce the barriers to, using PII from education records, including
PII from education records in SLDS, in order to conduct studies to
improve instruction in education programs.

Authority To Evaluate

Current Sec. 99.35(a)(2) provides that the authority for a FERPA-
permitted entity to conduct an audit, evaluation, or enforcement or
compliance activity must be established under a Federal, State, or
local authority other than FERPA. Lack of such explicit State or local
authority has hindered the use of PII from education records in some
States. These final regulations remove this language about legal
authority because we believe that the language unnecessarily caused
confusion in the field. This is because FERPA does not require that a
State or local educational authority have express legal authority to
conduct audits, evaluations, or compliance or enforcement activities.
Rather, we believe FERPA permits disclosure of PII from education
records to a State or local educational authority if that entity also
has implied authority to conduct audit, evaluation, or enforcement or
compliance activities with respect to its own programs.
This regulatory change also allows an SEA to receive PII from
education records originating at postsecondary institutions as needed
to evaluate its own programs and determine whether its schools are
adequately preparing students for higher education. The preamble to the
final FERPA regulations published in the Federal Register on December
9, 2008 (73 FR 74806, 74822) suggested that PII in education records
maintained by postsecondary institutions could only be disclosed to an
SEA if the SEA had legal authority to evaluate postsecondary
institutions. This interpretation restricted SEAs from conducting
analyses to determine how effectively their own programs are preparing
students for higher education and from identifying effective programs.
As a result, this interpretation resulted in a regulatory framework for
FERPA that has hindered efforts to improve education. The primary
benefit of this change is that it will allow SEAs to conduct analyses
of data that includes PII from education records for the purpose of
program evaluations (consistent with FERPA and other Federal and State
confidentiality and privacy provisions) without incurring the
prohibitive costs of obtaining prior written consent from eligible
students or parents.

Educational Agency or Institution

Sections (f) and (g) of FERPA authorize the Secretary to take
appropriate actions to enforce the law and address FERPA violations,
but subpart E of the current FERPA regulations only addressed alleged
violations of FERPA by an ``educational agency or institution.''
Because the Department had not interpreted the term ``educational
agency or institution'' to include agencies or institutions that
students do not attend (such as an SEA), the current FERPA regulations
do not specifically permit the Secretary to bring an enforcement action
against an SEA or other State or local educational authority or any
other recipient of Department funds under a program administered by the
Secretary that did not meet the definition of an ``educational agency
or institution'' under FERPA. Thus, for example, if an SEA improperly
redisclosed PII from education records obtained from its LEAs, the
Department could pursue enforcement actions against each of the LEAs
(because the Department views an LEA as an educational agency attended
by students), but not the SEA. These final regulations amend the
regulatory provisions in subpart E to clarify that the Secretary may
investigate, process, review, and enforce complaints and violations of
FERPA against an educational agency or institution, any other recipient
of Department funds under a program administered by the Secretary, or
other third parties.
This change will result in some administrative savings and improve
the efficiency of the enforcement process. Under the current
regulations, if, for example, an SEA with 500 LEAs improperly
redisclosed PII from its SLDS to an unauthorized party, the Department
would have had to investigate each of the 500 LEAs, which are unlikely
to have had knowledge relating to the disclosure. Under the final
regulations, the LEAs will be relieved of any administrative costs
associated with responding to the Department's request for information
about the disclosure and the Department will immediately direct the
focus of its investigation on the SEA, the agency most likely to have
information on and bear responsibility for the disclosure of PII,
without having to spend time and resources contacting the LEAs.

Regulatory Flexibility Act Certification

The Secretary certifies that this regulatory action will not have a
significant economic impact on a substantial number of small entities.
The small entities that this final regulatory action will affect
are small LEAs. The Secretary believes that the costs imposed by these
regulations will be limited to paperwork burden related to requirements
concerning data-sharing agreements and that the benefits from ensuring
that PII from education records are collected, stored, and shared

[[Page 75639]]

appropriately outweigh any costs incurred by these small LEAs. In
addition, it is possible that State and local educational authorities
may enter into agreements with small institutions of higher education
or other small entities that will serve as their authorized
representatives to conduct evaluations or other authorized activities.
Entering into such agreements would be entirely voluntary on the part
of the institutions of higher education or other entities, would be of
minimal cost, and presumably would be for the benefit of the
institution of higher education or other entity.
The U.S. Small Business Administration Size Standards define as
``small entities'' for-profit or nonprofit institutions with total
annual revenue below $7,000,000 or, if they are institutions controlled
by small governmental jurisdictions (that are comprised of cities,
counties, towns, townships, villages, school districts, or special
districts), with a population of less than 50,000.
According to estimates from the U.S. Census Bureau's Small Area
Income and Poverty Estimates programs that were based on school
district boundaries for the 2007-2008 school year, there are 12,484
LEAs in the country that include fewer than 50,000 individuals within
their boundaries and for which there is estimated to be at least one
school-age child. In its 1997 publication, Characteristics of Small and
Rural School Districts, the NCES defined a small school district as
``one having fewer students in membership than the sum of (a) 25
students per grade in the elementary grades it offers (usually K-8) and
(b) 100 students per grade in the secondary grades it offers (usually
9-12).'' Using this definition, a district would be considered small if
it had fewer than 625 students in membership. The Secretary believes
that the 4,800 very small LEAs that meet this second definition are
highly unlikely to enter into data-sharing agreements directly with
outside entities.
In the NPRM, the Department solicited comments from entities
familiar with data sharing in small districts on the number of entities
likely to enter into agreements each year, the number of such
agreements, and the number of hours required to execute each agreement,
but we received no comments and do not have reliable data with which to
estimate how many of the remaining 7,684 small LEAs will enter into
data-sharing agreements. For small LEAs that enter into data-sharing
agreements, we estimate that they will spend approximately 4 hours
executing each agreement, using a standard data-sharing protocol. Thus,
we assume the impact on the entities will be minimal.

Federalism

Executive Order 13132 requires us to ensure meaningful and timely
input by State and local elected officials in the development of
regulatory policies that have federalism implications. ``Federalism
implications'' means substantial direct effects on the States, on the
relationship between the National Government and the States, or on the
distribution of power and responsibilities among the various levels of
government. Among other requirements, the Executive order requires us
to consult with State and local elected officials respecting any
regulations that have federalism implications and either preempt State
law or impose substantial direct compliance costs on State and local
governments, and are not required by statute, unless the Federal
government provides the funds for those costs.
The Department has reviewed these final regulations in accordance
with Executive Order 13132. We have concluded that these final
regulations do not have federalism implications, as defined in the
Executive order. The regulations do not have substantial direct effects
on the States, on the relationship between the national government and
the States, or on the distribution of power and responsibilities among
the various levels of government.
In the NPRM we explained that the proposed regulations in
Sec. Sec. 99.3, 99.31(a)(6), and 99.35 may have federalism
implications, as defined in Executive Order 13132, and we asked that
State and local elected officials make comments in this regard. One
commenter stated that it believed that some of the proposed changes
would increase burdens on SEAs, especially with respect to enforcing
the destruction of PII from education records once a study or an audit
or evaluation has ended.
The FERPA requirements that PII from education records be destroyed
when no longer needed for both the studies exception and the audit or
evaluation exception are statutory (20 U.S.C. 1232g(b)(1)(F) and
1232g(b)(3)). Further, the regulatory provisions concerning destruction
for these two exceptions (Sec. Sec. 99.31(a)(6) and 99.35) are not
new. Therefore, these final regulations do not include additional
burden.
After giving careful consideration to the comment, we conclude that
these final regulations do not have federalism implications as defined
in Executive Order 13132.

Paperwork Reduction Act of 1995

As part of its continuing effort to reduce paperwork and respondent
burden, the Department conducts a preclearance consultation program to
provide the general public and Federal agencies with an opportunity to
comment on proposed and continuing collections of information in
accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C.
3506(c)(2)(A)). This helps ensure that: the public understands the
Department's collection instructions; respondents can provide the
requested data in the desired format; reporting burden (time and
financial resources) is minimized; collection instruments are clearly
understood; and the Department can properly assess the impact of
collection requirements on respondents. The term ``collections of
information'' under the PRA includes regulatory requirements that
parties must follow concerning paperwork, e.g., the requirement that
educational agencies and institutions annually notify parents and
eligible students of their rights under FERPA. It does not necessarily
mean that information is being collected by a government entity.
Sections 99.7, 99.31(a)(6)(ii), 99.35(a)(3), and 99.37(d) contain
information collection requirements. In the NPRM published on April 8,
2011, we requested public comments on the information collection
requirements in proposed Sec. Sec. 99.31(a)(6)(ii) and 99.35(a)(3).
Since publication of the NPRM, we have determined that Sec. 99.37(d)
also has an information collection associated with it. In addition,
since publication of the NPRM, we decided to make changes to the model
notification, which we provide to assist entities to comply with the
annual notification of rights requirement in Sec. 99.7. Therefore,
this section discusses the information collections associated with
these four regulatory provisions. These information collections will be
submitted to OMB for review and approval. A valid OMB control number
will be assigned to the information collection requirements at the end
of the affected sections of the regulations.

Section 99.7--Annual Notification of Rights Requirement (OMB Control
Number 1875-0246)

Although we did not propose any changes to Sec. 99.7, which
requires that educational agencies and institutions annually notify
parents and eligible students of their rights under FERPA, we did make
some modifications to our

[[Page 75640]]

model notification associated with this requirement. Specifically, to
allow parents and eligible students to more fully understand the
circumstances under which disclosures may occur without their consent,
we have amended the model annual notifications to include a listing of
the various exceptions to the general consent rule in the regulations.
The model notices (one for elementary and secondary schools and another
one for postsecondary institutions) are included as Appendix B and
Appendix C to this notice. We also post the model notifications on our
Web site and have indicated the site address in the preamble. We do not
believe that this addition to the model notification increases the
currently approved burden of .25 hours (15 minutes) we previously
estimated for the annual notification of rights requirement.

Section 99.31(a)(6)(ii)--Written Agreements for Studies (OMB Control
Number 1875-0246)

The final regulations modify the information collection
requirements in Sec. 99.31(a)(6)(ii); however, the Department does not
believe these regulatory changes result in any new burden to State or
local educational authorities. As amended, Sec. 99.31(a)(6)(ii)
clarifies that FERPA-permitted entities may enter into written
agreements with organizations conducting studies for, or on behalf of,
educational agencies and institutions. We do not believe this will
result in a change or an increase in burden because the provision would
permit an organization conducting a study to enter into one written
agreement with a FERPA-permitted entity, rather than making the
organization enter into multiple written agreements with a variety of
schools and school districts.

Section 99.35(a)(3)--Written Agreements for Audits, Evaluations,
Compliance or Enforcement Activities (OMB Control Number 1875-0246)

Section 99.35(a)(3) requires FERPA-permitted entities to use a
written agreement to designate authorized representatives other than
agency employees. Under the final regulations, the agreement must: (1)
Designate the individual or entity as an authorized representative; (2)
specify the PII from education records to be disclosed; (3) specify
that the purpose for which the PII from education records is disclosed
to the authorized representative is to carry out an audit or evaluation
of Federal- or State-supported education programs, or to enforce or to
comply with Federal legal requirements that relate to those programs;
(4) describe the activity to make clear that it legitimately fits
within the exception of Sec. 99.31; (5) require the authorized
representative to destroy PII from education records when the
information is no longer needed for the purpose specified; (6) specify
the time period in which the PII from education records must be
destroyed; and (7) establish policies and procedures, consistent with
FERPA and other Federal and State confidentiality and privacy
provisions, to protect PII from education records from further
disclosure (except back to the disclosing entity) and unauthorized use.
The total estimated burden under this provision is 9,928 hours.
Specifically, the burden for States under this provision is estimated
to be 40 hours annually for each of the 103 State educational
authorities in the various States and territories subject to FERPA (one
for K-12 and one for postsecondary in each SEA). Assuming that each
State authority handles the agreements up to 10 times per year with an
estimated 4 hours per agreement, the total anticipated increase in
annual burden would be 4,120 hours for this new requirement in OMB
Control Number 1875-0246. In addition, the burden for large LEAs and
postsecondary institutions (1,452 educational agencies and institutions
with a student population of over 10,000) is estimated to be 4 hours
annually. Assuming each large LEA and postsecondary institution handles
the agreements up to 1 time per year with an estimated 4 hours per
agreement, the total anticipated increase in annual burden for large
LEAs and postsecondary institutions would be 5,808 hours for this
requirement.

Note: For purposes of the burden analysis for Sec. 99.35(a)(3),
we estimate the burden on large LEAs and postsecondary institutions
because we believe that estimating burden for these institutions
captures the high-end of the burden estimate. We expect that burden
for smaller LEAs and postsecondary institutions under Sec.
99.35(a)(3) would be much less than estimated here.

Section 99.37(d)--Parental Notice of Disclosure of Directory
Information (OMB Control Number 1875-0246)

Section 99.37(d) requires any educational agency or institution
that elects to implement a limited directory information policy to
specify its policy in the public notice to parents and eligible
students in attendance at the educational agency or institution. We do
not expect this requirement to result in an additional burden for most
educational agencies and institutions because educational agencies and
institutions are already required under Sec. 99.37(a) to provide
public notice of its directory information policy. However, the change
reflected in amended Sec. 99.37(d) could result in a burden increase
for an educational agency or institution that currently has a policy of
disclosing all directory information and elects, under the new
regulations, to limit the disclosure of directory information. The
agency or institution would now be required to inform parents and
eligible students that it has a limited directory information policy.
The notice provides parents and eligible students with the opportunity
to opt out of the disclosure of directory information. Additionally,
many educational agencies and institutions include their directory
information notice as part of the required annual notification of
rights under Sec. 99.7, which is already listed as a burden and
approved under OMB Control Number 1875-0246. These educational agencies
and institutions, therefore, would not experience an increase in burden
associated with the changes reflected in Sec. 99.37(d).

Assessment of Educational Impact

In the NPRM, and in accordance with section 441 of the General
Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on
whether the proposed regulations would require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Based on the response to the NPRM and on our review, we have
determined that these final regulations do not require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Accessible Format: Individuals with disabilities can obtain this
document in an accessible format (e.g., braille, large print,
audiotape, or compact disc) on request to the program contact person
listed under FOR FURTHER INFORMATION CONTACT.
Electronic Access to This Document: The official version of this
document is the document published in the Federal Register. Free
Internet access to the official edition of the Federal Register and the
Code of Federal Regulations is available via the Federal Digital System
at: http://www.gpo.gov/fdsys. At this site you can view this document,
as well as all other documents of this Department published in the
Federal Register, in text or Adobe Portable Document Format (PDF). To
use PDF you must have Adobe Acrobat Reader, which is available free at
the site.
You may also access documents of the Department published in the
Federal

[[Page 75641]]

Register by using the article search feature at: http://www.federalregister.gov. Specifically, through the advanced search
feature at this site, you can limit your search to documents published
by the Department.

(Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

Administrative practice and procedure, Directory information,
Education records, Information, Parents, Privacy, Records, Social
Security numbers, Students.

Dated: November 23, 2011.
Arne Duncan,
Secretary of Education.

For the reasons discussed in the preamble, the Secretary amends
part 99 of title 34 of the Code of Federal Regulations as follows:

PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY

0
1. The authority citation for part 99 continues to read as follows:

Authority: 20 U.S.C. 1232g, unless otherwise noted.

0
2. Section 99.3 is amended by:
0
A. Adding, in alphabetical order, definitions for authorized
representative, early childhood education program, and education
program.
0
B. Revising the definition of directory information. The additions and
revision read as follows:

Sec. 99.3 What definitions apply to these regulations?

* * * * *
Authorized representative means any entity or individual designated
by a State or local educational authority or an agency headed by an
official listed in Sec. 99.31(a)(3) to conduct--with respect to
Federal- or State-supported education programs--any audit or
evaluation, or any compliance or enforcement activity in connection
with Federal legal requirements that relate to these programs.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))

* * * * *
Directory information means information contained in an education
record of a student that would not generally be considered harmful or
an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the
student's name; address; telephone listing; electronic mail address;
photograph; date and place of birth; major field of study; grade level;
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized
activities and sports; weight and height of members of athletic teams;
degrees, honors, and awards received; and the most recent educational
agency or institution attended.
(b) Directory information does not include a student's--
(1) Social security number; or
(2) Student identification (ID) number, except as provided in
paragraph (c) of this definition.
(c) In accordance with paragraphs (a) and (b) of this definition,
directory information includes--
(1) A student ID number, user ID, or other unique personal
identifier used by a student for purposes of accessing or communicating
in electronic systems, but only if the identifier cannot be used to
gain access to education records except when used in conjunction with
one or more factors that authenticate the user's identity, such as a
personal identification number (PIN), password or other factor known or
possessed only by the authorized user; and
(2) A student ID number or other unique personal identifier that is
displayed on a student ID badge, but only if the identifier cannot be
used to gain access to education records except when used in
conjunction with one or more factors that authenticate the user's
identity, such as a PIN, password, or other factor known or possessed
only by the authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *
Early childhood education program means--
(a) A Head Start program or an Early Head Start program carried out
under the Head Start Act (42 U.S.C. 9831 et seq.), including a migrant
or seasonal Head Start program, an Indian Head Start program, or a Head
Start program or an Early Head Start program that also receives State
funding;
(b) A State licensed or regulated child care program; or
(c) A program that--
(1) Serves children from birth through age six that addresses the
children's cognitive (including language, early literacy, and early
mathematics), social, emotional, and physical development; and
(2) Is--
(i) A State prekindergarten program;
(ii) A program authorized under section 619 or part C of the
Individuals with Disabilities Education Act; or
(iii) A program operated by a local educational agency.
* * * * *
Education program means any program that is principally engaged in
the provision of education, including, but not limited to, early
childhood education, elementary and secondary education, postsecondary
education, special education, job training, career and technical
education, and adult education, and any program that is administered by
an educational agency or institution.

(Authority: 20 U.S.C. 1232g(b)(3), (b)(5))

* * * * *

0
3. Section 99.31 is amended by:
0
A. Removing paragraph (a)(6)(iii).
0
B. Redesignating paragraph (a)(6)(ii) as paragraph (a)(6)(iii).
0
C. Adding a new paragraph (a)(6)(ii).
0
D. Revising the introductory text of newly redesignated paragraph
(a)(6)(iii).
0
E. Revising the introductory text of newly redesignated paragraph
(a)(6)(iii)(C).
0
F. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).
0
G. Revising paragraph (a)(6)(iv).
The addition and revisions read as follows:

Sec. 99.31 Under what conditions is prior consent not required to
disclose information?

(a) * * *
(6) * * *
(ii) Nothing in the Act or this part prevents a State or local
educational authority or agency headed by an official listed in
paragraph (a)(3) of this section from entering into agreements with
organizations conducting studies under paragraph (a)(6)(i) of this
section and redisclosing personally identifiable information from
education records on behalf of educational agencies and institutions
that disclosed the information to the State or local educational
authority or agency headed by an official listed in paragraph (a)(3) of
this section in accordance with the requirements of Sec. 99.33(b).
(iii) An educational agency or institution may disclose personally
identifiable information under paragraph (a)(6)(i) of this section, and
a State or local educational authority or agency headed by an official
listed in paragraph (a)(3) of this section may redisclose personally
identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of
this section, only if--
* * * * *
(C) The educational agency or institution or the State or local
educational authority or agency headed by an official listed in
paragraph (a)(3)

[[Page 75642]]

of this section enters into a written agreement with the organization
that--
* * * * *
(4) Requires the organization to destroy all personally
identifiable information when the information is no longer needed for
the purposes for which the study was conducted and specifies the time
period in which the information must be destroyed.
(iv) An educational agency or institution or State or local
educational authority or Federal agency headed by an official listed in
paragraph (a)(3) of this section is not required to initiate a study or
agree with or endorse the conclusions or results of the study.
* * * * *

Sec. 99.33 [Amended]

0
4. Section 99.33 is amended by removing paragraph (e).
0
5. Section 99.35 is amended by:
0
A. Revising paragraph (a)(2).
0
B. Adding a new paragraph (a)(3).
0
C. Revising paragraph (b).
0
D. Revising the authority citation at the end of the section.
The addition and revisions read as follows:

Sec. 99.35 What conditions apply to disclosure of information for
Federal or State program purposes?

(a) * * *
(2) The State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) is responsible for using
reasonable methods to ensure to the greatest extent practicable that
any entity or individual designated as its authorized representative--
(i) Uses personally identifiable information only to carry out an
audit or evaluation of Federal- or State-supported education programs,
or for the enforcement of or compliance with Federal legal requirements
related to these programs;
(ii) Protects the personally identifiable information from further
disclosures or other uses, except as authorized in paragraph (b)(1) of
this section; and
(iii) Destroys the personally identifiable information in
accordance with the requirements of paragraphs (b) and (c) of this
section.
(3) The State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) must use a written agreement to
designate any authorized representative, other than an employee. The
written agreement must--
(i) Designate the individual or entity as an authorized
representative;
(ii) Specify--
(A) The personally identifiable information from education records
to be disclosed;
(B) That the purpose for which the personally identifiable
information from education records is disclosed to the authorized
representative is to carry out an audit or evaluation of Federal- or
State-supported education programs, or to enforce or to comply with
Federal legal requirements that relate to those programs; and
(C) A description of the activity with sufficient specificity to
make clear that the work falls within the exception of Sec.
99.31(a)(3), including a description of how the personally identifiable
information from education records will be used;
(iii) Require the authorized representative to destroy personally
identifiable information from education records when the information is
no longer needed for the purpose specified;
(iv) Specify the time period in which the information must be
destroyed; and
(v) Establish policies and procedures, consistent with the Act and
other Federal and State confidentiality and privacy provisions, to
protect personally identifiable information from education records from
further disclosure (except back to the disclosing entity) and
unauthorized use, including limiting use of personally identifiable
information from education records to only authorized representatives
with legitimate interests in the audit or evaluation of a Federal- or
State-supported education program or for compliance or enforcement of
Federal legal requirements related to these programs.
(b) Information that is collected under paragraph (a) of this
section must--
(1) Be protected in a manner that does not permit personal
identification of individuals by anyone other than the State or local
educational authority or agency headed by an official listed in Sec.
99.31(a)(3) and their authorized representatives, except that the State
or local educational authority or agency headed by an official listed
in Sec. 99.31(a)(3) may make further disclosures of personally
identifiable information from education records on behalf of the
educational agency or institution in accordance with the requirements
of Sec. 99.33(b); and
(2) Be destroyed when no longer needed for the purposes listed in
paragraph (a) of this section.
* * * * *

(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))

0
5. Section 99.37 is amended by:
0
A. Revising paragraph (c).
0
B. Redesignating paragraph (d) as paragraph (e).
0
C. Adding a new paragraph (d).
The addition and revision read as follows:

Sec. 99.37 What conditions apply to disclosing directory information?

* * * * *
(c) A parent or eligible student may not use the right under
paragraph (a)(2) of this section to opt out of directory information
disclosures to--
(1) Prevent an educational agency or institution from disclosing or
requiring a student to disclose the student's name, identifier, or
institutional email address in a class in which the student is
enrolled; or
(2) Prevent an educational agency or institution from requiring a
student to wear, to display publicly, or to disclose a student ID card
or badge that exhibits information that may be designated as directory
information under Sec. 99.3 and that has been properly designated by
the educational agency or institution as directory information in the
public notice provided under paragraph (a)(1) of this section.
(d) In its public notice to parents and eligible students in
attendance at the agency or institution that is described in paragraph
(a) of this section, an educational agency or institution may specify
that disclosure of directory information will be limited to specific
parties, for specific purposes, or both. When an educational agency or
institution specifies that disclosure of directory information will be
limited to specific parties, for specific purposes, or both, the
educational agency or institution must limit its directory information
disclosures to those specified in its public notice that is described
in paragraph (a) of this section.
* * * * *

0
6. Section 99.61 is revised to read as follows:

Sec. 99.61 What responsibility does an educational agency or
institution, a recipient of Department funds, or a third party outside
of an educational agency or institution have concerning conflict with
State or local laws?

If an educational agency or institution determines that it cannot
comply with the Act or this part due to a conflict with State or local
law, it must notify the Office within 45 days, giving the text and
citation of the conflicting law. If another recipient of Department
funds under any program administered by the Secretary or a third party
to which personally identifiable information from education records has
been non-

[[Page 75643]]

consensually disclosed determines that it cannot comply with the Act or
this part due to a conflict with State or local law, it also must
notify the Office within 45 days, giving the text and citation of the
conflicting law.

(Authority: 20 U.S.C. 1232g(f))

0
7. Section 99.62 is revised to read as follows:

Sec. 99.62 What information must an educational agency or institution
or other recipient of Department funds submit to the Office?

The Office may require an educational agency or institution, other
recipient of Department funds under any program administered by the
Secretary to which personally identifiable information from education
records is non-consensually disclosed, or any third party outside of an
educational agency or institution to which personally identifiable
information from education records is non-consensually disclosed to
submit reports, information on policies and procedures, annual
notifications, training materials, or other information necessary to
carry out the Office's enforcement responsibilities under the Act or
this part.

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))

0
8. Section 99.64 is amended by:
0
A. Revising paragraphs (a) and (b).
0
B. Revising the authority citation at the end of the section.
The revisions read as follows:

Sec. 99.64 What is the investigation procedure?

(a) A complaint must contain specific allegations of fact giving
reasonable cause to believe that a violation of the Act or this part
has occurred. A complaint does not have to allege that a violation is
based on a policy or practice of the educational agency or institution,
other recipient of Department funds under any program administered by
the Secretary, or any third party outside of an educational agency or
institution.
(b) The Office investigates a timely complaint filed by a parent or
eligible student, or conducts its own investigation when no complaint
has been filed or a complaint has been withdrawn, to determine whether
an educational agency or institution or other recipient of Department
funds under any program administered by the Secretary has failed to
comply with a provision of the Act or this part. If the Office
determines that an educational agency or institution or other recipient
of Department funds under any program administered by the Secretary has
failed to comply with a provision of the Act or this part, it may also
determine whether the failure to comply is based on a policy or
practice of the agency or institution or other recipient. The Office
also investigates a timely complaint filed by a parent or eligible
student, or conducts its own investigation when no complaint has been
filed or a complaint has been withdrawn, to determine whether a third
party outside of the educational agency or institution has failed to
comply with the provisions of Sec. 99.31(a)(6)(iii)(B) or has
improperly redisclosed personally identifiable information from
education records in violation of Sec. 99.33.
* * * * *

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f) and (g))

0
9. Section 99.65 is amended by revising paragraph (a) to read as
follows:

Sec. 99.65 What is the content of the notice of investigation issued
by the Office?

(a) The Office notifies in writing the complainant, if any, and the
educational agency or institution, the recipient of Department funds
under any program administered by the Secretary, or the third party
outside of an educational agency or institution if it initiates an
investigation under Sec. 99.64(b). The written notice--
(1) Includes the substance of the allegations against the
educational agency or institution, other recipient, or third party; and
(2) Directs the agency or institution, other recipient, or third
party to submit a written response and other relevant information, as
set forth in Sec. 99.62, within a specified period of time, including
information about its policies and practices regarding education
records.
* * * * *

0
10. Section 99.66 is revised to read as follows:

Sec. 99.66 What are the responsibilities of the Office in the
enforcement process?

(a) The Office reviews a complaint, if any, information submitted
by the educational agency or institution, other recipient of Department
funds under any program administered by the Secretary, or third party
outside of an educational agency or institution, and any other relevant
information. The Office may permit the parties to submit further
written or oral arguments or information.
(b) Following its investigation, the Office provides to the
complainant, if any, and the educational agency or institution, other
recipient, or third party a written notice of its findings and the
basis for its findings.
(c) If the Office finds that an educational agency or institution
or other recipient has not complied with a provision of the Act or this
part, it may also find that the failure to comply was based on a policy
or practice of the agency or institution or other recipient. A notice
of findings issued under paragraph (b) of this section to an
educational agency or institution, or other recipient that has not
complied with a provision of the Act or this part--
(1) Includes a statement of the specific steps that the agency or
institution or other recipient must take to comply; and
(2) Provides a reasonable period of time, given all of the
circumstances of the case, during which the educational agency or
institution or other recipient may comply voluntarily.
(d) If the Office finds that a third party outside of an
educational agency or institution has not complied with the provisions
of Sec. 99.31(a)(6)(iii)(B) or has improperly redisclosed personally
identifiable information from education records in violation of Sec.
99.33, the Office's notice of findings issued under paragraph (b) of
this section--
(1) Includes a statement of the specific steps that the third party
outside of the educational agency or institution must take to comply;
and
(2) Provides a reasonable period of time, given all of the
circumstances of the case, during which the third party may comply
voluntarily.

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))

0
11. Section 99.67 is revised to read as follows:

Sec. 99.67 How does the Secretary enforce decisions?

(a) If an educational agency or institution or other recipient of
Department funds under any program administered by the Secretary does
not comply during the period of time set under Sec. 99.66(c), the
Secretary may take any legally available enforcement action in
accordance with the Act, including, but not limited to, the following
enforcement actions available in accordance with part D of the General
Education Provisions Act--
(1) Withhold further payments under any applicable program;
(2) Issue a complaint to compel compliance through a cease and
desist order; or
(3) Terminate eligibility to receive funding under any applicable
program.
(b) If, after an investigation under Sec. 99.66, the Secretary
finds that an educational agency or institution, other

[[Page 75644]]

recipient, or third party has complied voluntarily with the Act or this
part, the Secretary provides the complainant and the agency or
institution, other recipient, or third party with written notice of the
decision and the basis for the decision.
(c) If the Office finds that a third party, outside the educational
agency or institution, violates Sec. 99.31(a)(6)(iii)(B), then the
educational agency or institution from which the personally
identifiable information originated may not allow the third party found
to be responsible for the violation of Sec. 99.31(a)(6)(iii)(B) access
to personally identifiable information from education records for at
least five years.
(d) If the Office finds that a State or local educational
authority, a Federal agency headed by an official listed in Sec.
99.31(a)(3), or an authorized representative of a State or local
educational authority or a Federal agency headed by an official listed
in Sec. 99.31(a)(3), improperly rediscloses personally identifiable
information from education records, then the educational agency or
institution from which the personally identifiable information
originated may not allow the third party found to be responsible for
the improper redisclosure access to personally identifiable information
from education records for at least five years.
(e) If the Office finds that a third party, outside the educational
agency or institution, improperly rediscloses personally identifiable
information from education records in violation of Sec. 99.33 or fails
to provide the notification required under Sec. 99.33(b)(2), then the
educational agency or institution from which the personally
identifiable information originated may not allow the third party found
to be responsible for the violation access to personally identifiable
information from education records for at least five years.

(Authority: 20 U.S.C. 1232g(b)(4)(B) and (f); 20 U.S.C. 1234c)

Note: The following appendices will not appear in the Code of
Federal Regulations.

BILLING CODE 4000-01-P

[[Page 75645]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.062

[[Page 75646]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.063

[[Page 75647]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.064

[[Page 75648]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.065

[[Page 75649]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.066

[[Page 75650]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.067

[[Page 75651]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.068

[[Page 75652]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.069

[[Page 75653]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.070

[[Page 75654]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.071

[[Page 75655]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.072

[[Page 75656]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.073

[[Page 75657]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.074

[[Page 75658]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.075

[[Page 75659]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.076

[[Page 75660]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.077

[FR Doc. 2011-30683 Filed 12-1-11; 8:45 am]
BILLING CODE 4000-01-C

Maintained for Historical Purposes

Subject: Family Educational Rights and Privacy