Department of Education

                                                                                                                              December 9, 2008

                                                                                                                              Part II

                                                                                                                              Department of
                                                                                                                              34 CFR Part 99
                                                                                                                              Family Educational Rights and Privacy;
                                                                                                                              Final Rule
jlentini on PROD1PC65 with RULES2

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00001   Fmt 4717   Sfmt 4717   E:\FR\FM\09DER2.SGM   09DER2
74806            Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations

                                         DEPARTMENT OF EDUCATION                                 Education (the Department or we)                      disclose education records, without
                                                                                                 published a notice of proposed                        consent, to another institution even after
                                         34 CFR Part 99                                          rulemaking (NPRM) in the Federal                      the student has enrolled or transferred
                                         RIN 1855–AA05                                           Register (73 FR 15574). In the preamble               so long as the disclosure is for purposes
                                                                                                 to the NPRM, the Secretary discussed                  related to the student’s enrollment or
                                         [Docket ID ED–2008–OPEPD–0002]                          the major changes proposed in that                    transfer;
                                                                                                 document that are necessary to                           • Amending § 99.31(a)(6) to require
                                         Family Educational Rights and Privacy                   implement statutory changes made to                   that an educational agency or institution
                                         AGENCY: Office of Planning, Evaluation,                 FERPA, to implement two U.S. Supreme                  may disclose personally identifiable
                                         and Policy Development, Department of                   Court decisions, to respond to changes                information under this section only if it
                                         Education.                                              in information technology, and to                     enters into a written agreement with the
                                         ACTION: Final regulations.                              address other issues identified through               organization specifying the purposes of
                                                                                                 the Department’s experience in                        the study and the use and destruction of
                                         SUMMARY: The Secretary amends our                       administering FERPA.                                  the data;
                                         regulations implementing the Family                        We believe that the regulatory                        • Amending § 99.31 to include a new
                                         Educational Rights and Privacy Act                      changes adopted in these final                        subsection to provide standards for the
                                         (FERPA), which is section 444 of the                    regulations provide clarification on                  release of information from education
                                         General Education Provisions Act.                       many important issues that have arisen                records that has been de-identified;
                                         These amendments are needed to                          over time with regard to how FERPA                       • Amending § 99.35 to permit State
                                         implement a provision of the USA                        affects decisions that school officials               and local educational authorities and
                                         Patriot Act and the Campus Sex Crimes                   have to make on an everyday basis.                    Federal officials listed in § 99.31(a)(3) to
                                         Prevention Act, which added new                         Educational agencies and institutions                 make further disclosures of personally
                                         exceptions permitting the disclosure of                 face considerable challenges, especially              identifiable information from education
                                         personally identifiable information from                with regard to maintaining safe                       records on behalf of the educational
                                         education records without consent. The                  campuses, protecting personally                       agency or institution; and
                                         amendments also implement two U.S.                      identifiable information in students’                    • Amending § 99.36 to remove the
                                         Supreme Court decisions interpreting                    education records, and responding to                  language requiring strict construction of
                                         FERPA, and make necessary changes                       requests for data on student progress.                this exception and add a provision
                                         identified as a result of the Department’s              These final regulations, as well as the               stating that if an educational agency or
                                         experience administering FERPA and                      discussion on various provisions in the               institution determines that there is an
                                         the current regulations.                                preamble, will assist school officials in             articulable and significant threat to the
                                           These changes clarify permissible                     addressing these challenges in a manner               health or safety of a student or other
                                         disclosures to parents of eligible                      that complies with FERPA and protects                 individual, it may disclose the
                                         students and conditions that apply to                   the privacy of students’ education                    information to any person, including
                                         disclosures in health and safety                        records.                                              parents, whose knowledge of the
                                         emergencies; clarify permissible                                                                              information is necessary to protect the
                                                                                                 Notice of Proposed Rulemaking
                                         disclosures of student identifiers as                                                                         health or safety of the student or other
                                         directory information; allow disclosures                  In the NPRM, we proposed                            individuals.
                                         to contractors and other outside parties                regulations to implement section 507 of
                                                                                                 the USA Patriot Act (Pub. L. 107–56),                 Significant Changes From the NPRM
                                         in connection with the outsourcing of
                                         institutional services and functions;                   enacted October 26, 2001, and the                       These final regulations contain
                                         revise the definitions of attendance,                   Campus Sex Crimes Prevention Act,                     several significant changes from the
                                         disclosure, education records,                          section 1601(d) of the Victims of                     NPRM as follows:
                                         personally identifiable information, and                Trafficking and Violence Protection Act                 • Amending the definition of
                                         other key terms; clarify permissible                    of 2000 (Pub. L. 106–386), enacted                    personally identifiable information in
                                         redisclosures by State and Federal                      October 28, 2000. Other major changes                 § 99.3 to provide a definition of
                                         officials; and update investigation and                 proposed in the NPRM included the                     biometric record;
                                         enforcement provisions.                                 following:                                              • Removing the proposed definition
                                                                                                   • Amending § 99.5 to clarify the                    of State auditor in § 99.3 and provisions
                                         DATES: These regulations are effective
                                                                                                 conditions under which an educational                 in § 99.35(a)(3) related to State auditors
                                         January 8, 2009.
                                                                                                 agency or institution may disclose                    and audits;
                                         FOR FURTHER INFORMATION CONTACT:                        personally identifiable information from                • Revising § 99.31(a)(6) to clarify the
                                         Frances Moran, U.S. Department of                       an eligible student’s education records               specific types of information that must
                                         Education, 400 Maryland Avenue, SW.,                    to a parent without the prior written                 be contained in the written agreement
                                         room 6W243, Washington, DC 20202–                       consent of the eligible student;                      between an educational agency or
                                         8250. Telephone: (202) 260–3887.                          • Amending § 99.31(a)(1) to authorize               institution and an organization
                                           If you use a telecommunications                       the disclosure of education records                   conducting a study for the agency or
                                         device for the deaf (TDD), you may call                 without consent to contractors,                       institution;
                                         the Federal Relay Service (FRS) at 1–                   consultants, volunteers, and other                      • Removing the statement from
                                         800–877–8339.                                           outside parties to whom an educational                § 99.31(a)(16) that FERPA does not
                                           Individuals with disabilities may                                                                           require or encourage agencies or
                                                                                                 agency or institution has outsourced
                                         obtain this document in an alternative                                                                        institutions to collect or maintain
                                                                                                 institutional services or functions;
                                         format (e.g., Braille, large print,                       • Amending § 99.31(a)(1) to ensure                  information concerning registered sex
                                         audiotape, or computer diskette) on                     that teachers and other school officials              offenders;
                                         request to the contact person listed                                                                            • Requiring a State or local
jlentini on PROD1PC65 with RULES2

                                                                                                 only gain access to education records in
                                         under FOR FURTHER INFORMATION                           which they have legitimate educational                educational authority or Federal official
                                         CONTACT.                                                interests;                                            or agency that rediscloses personally
                                         SUPPLEMENTARY INFORMATION: On March                       • Amending § 99.31(a)(2) to permit                  identifiable information from education
                                         24, 2008, the U.S. Department of                        educational agencies and institutions to              records to record that disclosure if the

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00002   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations                                         74807

                                         educational agency or institution does                  information and telecommunications                    default prevention, and other activities
                                         not do so under § 99.32(b); and                         technologies.’’                                       that depend on sharing student
                                           • Revising § 99.32(b) to require an                      While most schools are aware of the                information. Another commenter stated
                                         educational agency or institution that                  various formats distance learning may                 that institutions should not be allowed
                                         makes a disclosure in a health or safety                take, we believe it is informative to list            to penalize students who opt out of
                                         emergency to record information                         the different communications media                    directory information disclosures by
                                         concerning the circumstances of the                     that are currently used. Also, we believe             denying them access to benefits,
                                         emergency.                                              that parents, eligible students, and other            services, and required activities.
                                           These changes are explained in                        individuals and organizations that use                   Several commenters said that the
                                         greater detail in the following Analysis                the FERPA regulations may find the                    definition in the proposed regulations
                                         of Comments and Changes.                                listing of formats useful.                            was confusing and unnecessarily
                                                                                                    We do not agree that the definition of             restrictive because it treats a student ID
                                         Analysis of Comments and Changes                                                                              number as the functional equivalent of
                                                                                                 attendance should be limited to receipt
                                           In response to the Secretary’s                        of instruction leading to a diploma or                an SSN. They explained that when
                                         invitation in the NPRM, 121 parties                     certificate, because this would                       providing access to records and
                                         submitted comments on the proposed                      improperly exclude many instructional                 services, many institutions no longer
                                         regulations. An analysis of the                         formats.                                              use an SSN or other single identifier
                                         comments and of the changes in the                         Changes: None.                                     that both identifies and authenticates
                                         regulations since publication of the                                                                          identity. As a result, at many
                                                                                                 (b) Directory Information (§§ 99.3 and                institutions, the condition specified in
                                         NPRM follows.
                                           We group major issues according to                    99.37)                                                the regulations for treating electronic
                                         subject, with applicable sections of the                (1) Definition (§ 99.3)                               identifiers as directory information, i.e.,
                                         regulations referenced in parentheses.                                                                        that the identifier cannot be used to gain
                                                                                                    Comment: We received a number of                   access to education records except when
                                         We discuss other substantive issues                     comments on our proposal to revise the
                                         under the sections of the regulations to                                                                      used in conjunction with one or more
                                                                                                 definition of directory information to                factors that authenticate the user’s
                                         which they pertain. Generally, we do                    provide that an educational agency or
                                         not address technical and other minor                                                                         identity, often applies to student ID
                                                                                                 institution may not designate as                      numbers as well because they cannot be
                                         changes, or suggested changes that the                  directory information a student’s social
                                         law does not authorize the Secretary to                                                                       used to gain access to education records
                                                                                                 security number (SSN) or other student                without a personal identification
                                         make. We also do not address comments                   identification (ID) number. The
                                         pertaining to issues that were not within                                                                     number (PIN), password, or some other
                                                                                                 proposed definition also provided that a              factor to authenticate the user’s identity.
                                         the scope of the NPRM.                                  student’s user ID or other unique                     Some commenters suggested that our
                                         Definitions (§ 99.3)                                    identifier used by the student to access              nomenclature is the problem and that
                                                                                                 or communicate in electronic systems                  regardless of what it is called, an
                                         (a) Attendance                                          could be considered directory                         identifier that does not allow access to
                                            Comment: We received no comments                     information but only if the electronic                education records without the use of
                                         objecting to the proposed changes to the                identifier cannot be used to gain access              authentication factors should be treated
                                         definition of the term attendance. Three                to education records except when used                 as directory information. According to
                                         commenters expressed support for the                    in conjunction with one or more factors               one commenter, allowing institutions to
                                         changes because the availability and use                that authenticate the student’s identity.             treat student ID numbers as directory
                                         of alternative instructional formats are                   All commenters agreed that student                 information in these circumstances
                                         not clearly addressed by the current                    SSNs should not be disclosed as                       would improve business practices and
                                         regulations. One commenter suggested                    directory information. Several                        enhance student privacy by encouraging
                                         that the definition could avoid                         commenters strongly supported the                     institutions to require additional
                                         obsolescence by referring to the receipt                definition of directory information as                authentication factors when using
                                         of instruction leading to a diploma or                  proposed, noting that failure to curtail              student ID numbers to provide access to
                                         certificate instead of listing the types of             the use of SSNs and student ID numbers                education records.
                                         instructional formats.                                  as directory information could facilitate                One commenter strongly opposed
                                            Discussion: We proposed to revise the                identity theft and other fraudulent                   allowing institutions to treat a student’s
                                         definition of attendance because we                     activities.                                           electronic identifier as directory
                                         received inquiries from some                               One commenter said that the                        information if the identifier could be
                                         educational agencies and institutions                   proposed regulations did not go far                   made available to parties outside the
                                         asking whether FERPA was applicable                     enough to prohibit the use of students’               school system. This commenter noted
                                         to the records of students receiving                    SSNs as a student ID number, placing                  that electronic identifiers may act as a
                                         instruction through the use of new                      SSNs on academic transcripts, and                     key, offering direct access to the
                                         technology methods that do not require                  using SSNs to search an electronic                    student’s entire file, and that PINs and
                                         a physical presence in a classroom.                     database. Another commenter expressed                 passwords alone do not provide
                                         Because the definition of attendance is                 concern that the proposed regulations                 adequate security for education records.
                                         key to determining when an                              could prohibit reporting needed to                    Another commenter said that if
                                         individual’s records at a school are                    enforce students’ financial obligations               electronic identifiers and ID numbers
                                         education records protected by FERPA,                   and other routine business practices.                 can be released as directory information,
                                         it is essential that schools and                        According to this commenter,                          then password requirements need to be
                                         institutions understand the scope of the                restrictions on the use of SSNs in                    more stringent to guard against
jlentini on PROD1PC65 with RULES2

                                         term. To prevent the regulations from                   FERPA and elsewhere demonstrate the                   unauthorized access to information and
                                         becoming out of date as new formats                     need for a single student identifier that             identity theft.
                                         and methods are developed, the                          can be tied to the SSN and other                         Some commenters recommended
                                         definition provides that attendance may                 identifying information to use for grade              establishing categories of directory
                                         also include ‘‘other electronic                         transcripts, enrollment verification,                 information, with certain information

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00003   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
74808            Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations

                                         made available only within the                          systems that require the release of the               should be disclosed as directory
                                         educational community. One                              student’s name or electronic identifier               information only within the school
                                         commenter expressed concern about                       within the school community. (As                      system and should not be made
                                         Internet safety because the regulations                 discussed later in this notice in our                 available outside the institution. The
                                         allow publication of a student’s e-mail                 discussion of the comments on                         disclosure of directory information is
                                         address. Another said that FERPA                        § 99.37(c), the right to opt out of                   permissive under FERPA, and,
                                         should not prevent institutions from                    directory information disclosures may                 therefore, an agency or institution is not
                                         printing the student’s ID number on an                  not be used to allow a student to remain              required to designate and disclose any
                                         ID card or otherwise restrict its use on                anonymous in class.)                                  student identifier (or any other item) as
                                         campus but that publication in a                           The regulations allow an educational               directory information. Further, while
                                         directory should not be allowed.                        agency or institution to designate a                  FERPA does not expressly recognize
                                            Two commenters asked the                             student’s user ID or other electronic                 different levels or categories of directory
                                         Department to confirm that the                          identifier as directory information if the            information, an agency or institution is
                                         regulations allow institutions to post                  identifier functions essentially like the
                                                                                                                                                       not required to make student directories
                                         grades using a code known only by the                   student’s name, and therefore,
                                                                                                                                                       and other directory information
                                         teacher and the student.                                disclosure would not be considered
                                            Discussion: We share commenters’                                                                           available to the general public just
                                                                                                 harmful or an invasion of privacy. That
                                         concerns about the use of students’                     is, the identifier cannot be used to gain             because the information is shared
                                         SSNs. In general, however, there is no                  access to education records except when               within the institution. For example,
                                         statutory authority under FERPA to                      combined with one or more factors that                under FERPA, an institution may decide
                                         prohibit an educational agency or                       authenticate the student’s identity.                  to make students’ electronic identifiers
                                         institution from using SSNs as a student                   We have historically advised that                  and e-mail addresses available within
                                         ID number, on academic transcripts, or                  student ID numbers may not be                         the institution but not release them to
                                         to search an electronic database so long                disclosed as directory information                    the general public as directory
                                         as the agency or institution does not                   because they have traditionally been                  information. In fact, the preamble to the
                                         disclose the SSN in violation of FERPA                  used like SSNs, i.e., as both an identifier           NPRM suggested that agencies and
                                         requirements. As discussed elsewhere                    and authenticator of identity. We agree,              institutions should minimize the public
                                         in this preamble, FERPA does prohibit                   however, that the proposed definition                 release of student directories to mitigate
                                         using a student’s SSN, without consent,                 was confusing and unnecessarily                       the risk of re-identifying information
                                         to search records in order to confirm                   restrictive because it failed to recognize            that has been de-identified (73 FR
                                         directory information.                                  that many institutions no longer use                  15584).
                                            Some States prohibit the use of SSNs                 student ID numbers in this manner. If a                  With regard to student ID numbers in
                                         as a student ID number, and some                        student identifier cannot be used to                  particular, an agency or institution may
                                         institutions have voluntarily ceased                    access records or communicate                         print an ID number on a student’s ID
                                         using SSNs in this manner because of                    electronically without one or more                    card whether or not the number is
                                         concerns about identity theft. Students                 additional factors to authenticate the
                                                                                                                                                       treated as directory information because
                                         are required to provide their SSNs in                   user’s identity, then the educational
                                         order to receive Federal financial aid,                                                                       under FERPA simply printing the ID
                                                                                                 agency or institution may treat it as
                                         and the regulations do not prevent an                                                                         number on a card, without more, is not
                                                                                                 directory information under FERPA
                                         agency or institution from using SSNs                   regardless of what the identifier is                  a disclosure and, therefore, is not
                                         for this purpose. We note that FERPA                    called. We have revised the definition of             prohibited. See 20 U.S.C. 1232g(b)(2). If
                                         does not address, and we do not believe                 directory information to provide this                 the student ID number is not designated
                                         that there is statutory authority under                 flexibility.                                          as directory information, then the
                                         FERPA to require, creation of a single                     We share the commenters’ concerns                  agency or institution may not disclose
                                         student identifier to replace the SSN. In               about the use of PINs and passwords. In               the card, or require the student to
                                         any case, the Department encourages                     the preamble to the NPRM, we                          disclose the card, except in accordance
                                         educational agencies and institutions, as               explained that PINs or passwords, and                 with one of the exceptions to the
                                         well as State educational authorities, to               single-factor authentication of any kind,             consent requirement, such as to school
                                         follow best practices of the educational                may not be reasonable for protecting                  officials with legitimate educational
                                         community with regard to protecting                     access to certain kinds of information                interests. If the student ID number is
                                         students’ SSNs.                                         (73 FR 15585). We also recognize that                 designated as directory information in
                                            We agree that students should not be                 user IDs and other electronic identifiers             accordance with these regulations, then
                                         penalized for opting out of directory                   may provide greater access and linking                it may be disclosed. However, the
                                         information disclosures. Indeed, an                     to information than does a person’s                   agency or institution may still decide
                                         educational agency or institution may                   name. Therefore, we remind educational                against making a directory of student ID
                                         not require parents and students to                     agencies and institutions that disclose               numbers available to the general public.
                                         waive their rights under FERPA,                         student ID numbers, user IDs, and other                  We discuss codes used by teachers to
                                         including the right to opt out of                       electronic identifiers as directory                   post grades in our discussion of the
                                         directory information disclosures. On                   information to examine their                          definition of personally identifiable
                                         the other hand, we do not interpret                     recordkeeping and data sharing
                                                                                                                                                       information elsewhere in this preamble.
                                         FERPA to require educational agencies                   practices and ensure that, when these
                                         and institutions to ensure that students                identifiers are used, the methods they                   Changes: We have revised the
                                         can remain anonymous to others in the                   select for authenticating identity                    definition of directory information in
                                         school community when using an                          provide adequate protection against the               § 99.3 to provide that directory
jlentini on PROD1PC65 with RULES2

                                         institution’s electronic communications                 unauthorized disclosure of information                information includes a student ID
                                         systems. As a result, parents and                       in education records.                                 number if it cannot be used to gain
                                         students who opt out of directory                          We also share the concern of                       access to education records except when
                                         information disclosures may not be able                 commenters who stated that students’                  used with one or more other factors to
                                         to use electronic communications                        e-mail addresses and other identifiers                authenticate the user’s identity.

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00004   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations                                      74809

                                         (2) Conditions for Disclosing Directory                 (ii) § 99.37(c)                                       educational agency or institution from
                                         Information                                                Comment: We received two comments                  using a student’s SSN when disclosing
                                                                                                 in support of our proposal to clarify in              or verifying directory information is
                                         (i) 99.37(b)
                                                                                                 this section that parents and students                based on the statutory prohibition on
                                            Comment: All comments on this                        may not use the right to opt out of                   disclosing personally identifiable
                                         provision supported our proposal to                     directory information disclosures to                  information from education records
                                         clarify that an educational agency or                   prevent disclosure of the student’s name              without consent in 20 U.S.C. 1232g(b).
                                         institution must continue to honor a                    or other identifier in the classroom.                 The prohibition applies also to any
                                         valid request to opt out of directory                      Discussion: We appreciate the                      party outside the agency or institution
                                         information disclosures even after the                  commenters’ support.                                  providing degree, enrollment, or other
                                         student no longer attends the                              Changes: None.                                     confirmation services on behalf of an
                                                                                                                                                       educational agency or institution, such
                                         institution. One commenter stated that                  (iii) § 99.37(d)                                      as the National Student Clearinghouse.
                                         the proposed regulations appropriately                                                                           A school is not required to deny a
                                                                                                    Comment: Two commenters
                                         provided former students with the                                                                             request for directory information about
                                                                                                 supported the prohibition on using a
                                         continuing ability to control the release               student’s SSN to disclose or confirm                  a student, such as confirmation whether
                                         of directory information and remarked                   directory information unless a parent or              a student is enrolled or has received a
                                         that this will benefit students and                     eligible student provides written                     degree, if the requester supplies the
                                         families. One commenter asked how                       consent. One of these commenters                      student’s SSN (or other non-directory
                                         long an opt out from directory                          questioned the statutory basis for this               information) along with the request.
                                         information disclosures must be                         interpretation.                                       However, in releasing or confirming
                                         honored. Another commenter said that                       Several commenters asked whether,                  directory information about a student,
                                         students may object if their former                     under the proposed regulations, a                     the school may not use the student’s
                                         schools do not disclose directory                       school must deny a request for directory              SSN (or other non-directory
                                         information without their specific                      information if the requester supplies the             information) supplied by the requester
                                         written consent because the school is                   student’s SSN. One commenter asked                    to identify the student or locate the
                                         unable to determine whether the                         whether a request for directory                       student’s records unless a parent or
                                         student previously opted out. This                      information that contains a student’s                 eligible student has provided written
                                         could occur, for example, if a school                   SSN may be honored so long as the                     consent. This is because confirmation of
                                         declined to disclose that a student had                 school does not use the SSN to locate                 information in education records is
                                         received a degree to a prospective                      the student’s records. One commenter                  considered a disclosure under FERPA.
                                         employer.                                               stated that the regulations could more                See 20 U.S.C. 1232g(b). A school’s use
                                                                                                 effectively protect students’ SSNs but                of a student’s SSN (or other non-
                                            Discussion: The regulations clarify
                                                                                                 was concerned that denying a request                  directory information) provided by the
                                         that once a parent or eligible student
                                                                                                 for directory information that contains               requester to confirm enrollment or other
                                         opts out of directory information
                                                                                                 an SSN may inadvertently confirm the                  directory information implicitly
                                         disclosures, the educational agency or                                                                        confirms and, therefore, discloses, the
                                         institution must continue to honor that                    One commenter expressed concern                    student’s SSN (or other non-directory
                                         election after the student is no longer in              that the prohibition on using a student’s             information). This is true even if the
                                         attendance. While this is not a new                     SSN to verify directory information                   requester also provides the school with
                                         interpretation, school districts and                    would leave schools with large student                the student’s name, date of birth, or
                                         postsecondary institutions have been                    populations unable to locate the                      other directory information to help
                                         unclear about its application and have                  appropriate record because they will                  identify the student.
                                         not administered it consistently. The                   need to rely solely on the student’s                     A school may choose to deny a
                                         inclusion in the regulations of this                    name and other directory information, if              request for directory information,
                                         longstanding interpretation is necessary                any, provided by the requester, which                 whether or not it contains a student’s
                                         to ensure that schools clearly                          may be duplicated in their databases.                 SSN, because only a parent or eligible
                                         understand their obligation to continue                 This commenter said that students                     student has a right to obtain education
                                         to honor a decision to opt out of the                   would object if institutions were unable              records under FERPA. Denial of a
                                         disclosure of directory information after               to respond quickly to requests by banks               request for directory information that
                                         a student stops attending the school,                   or landlords for confirmation of                      contains a student’s SSN is not an
                                         until the parent or eligible student                    enrollment because the request                        implicit confirmation or disclosure of
                                         rescinds it.                                            contained the student’s SSN.                          the SSN.
                                                                                                    One commenter suggested that the                      These regulations will not adversely
                                            Educational agencies and institutions
                                                                                                 regulations require an educational                    affect the ability of institutions to
                                         are not required under FERPA to
                                                                                                 agency or institution to notify a                     respond quickly to requests by parties
                                         disclose directory information to any
                                                                                                 requester that the release or                         such as banks and landlords for
                                         party. Therefore, parents and students                                                                        confirmation of enrollment that contain
                                                                                                 confirmation of directory information
                                         have no basis for objecting if an agency                                                                      the student’s SSN because students
                                                                                                 does not confirm the accuracy of the
                                         or institution does not disclose directory                                                                    generally provide written consent for
                                                                                                 SSN or other non-directory information
                                         information because it is not certain                                                                         schools to disclose information to the
                                                                                                 submitted with the request. Another
                                         whether the parent or student opted out.                                                                      inquiring party in order to obtain
                                                                                                 commenter asked whether the
                                         The regulations provide an educational                  regulations apply to confirmation of                  banking and housing services. We note,
                                         agency or institution with the flexibility              student enrollment and other directory                however, that if a school wishes to use
                                         to determine the process it believes is
jlentini on PROD1PC65 with RULES2

                                                                                                 information by outside service providers              the student’s SSN to confirm enrollment
                                         best suited to serve its population as                  such as the National Student                          or other directory information about the
                                         long as it honors prior elections to opt                Clearinghouse.                                        student, it must ensure that the written
                                         out of directory information disclosures.                  Discussion: The provision in the                   consent provided by the student
                                            Changes: None.                                       proposed regulations prohibiting an                   includes consent for the school to

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00005   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
74810            Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations

                                         disclose the student’s SSN to the                       institution’s ability to identify and                    Finally, we note that a transcript or
                                         requester.                                              investigate suspected fraudulent records              other document does not lose its
                                            There is no authority in FERPA to                    in a timely manner.                                   protection under FERPA, including the
                                         require a school to notify requesters that                 Discussion: For several years now,                 written consent requirements, when an
                                         it is not confirming the student’s SSN                  school officials have advised us that                 educational agency or institution
                                         (or other non-directory information)                    problems related to fraudulent records                returns it to the source. The document
                                         when it discloses or confirms directory                 typically involve a transcript or letter of           and the information in it remains an
                                         information. However, when a party                      recommendation that has been altered                  ‘‘education record’’ under FERPA when
                                         submits a student’s SSN along with a                    by someone other than the responsible                 it is returned to its source. As an
                                         request for directory information, in                   school official. Under the current                    education record, it may not be
                                         order to avoid confusion, unless a                      regulations, an educational agency or                 redisclosed except in accordance with
                                         parent or eligible student has provided                 institution may ask for a copy of a                   FERPA requirements, including
                                         written consent for the disclosure of the               record from the presumed source when                  § 99.31(a)(1), which allows the source
                                         student’s SSN, the school may indicate                  it suspects fraudulent activity. However,             institution to disclose the information to
                                         that it has not used the SSN (or other                  simply asking for a copy of a record may              teachers and other school officials with
                                         non-directory information) to locate the                not be adequate, for example, if the                  legitimate educational interests, such as
                                         student’s records and that its response                 original record no longer exists at the               persons who need to verify the accuracy
                                         may not and does not confirm the                        sending institution. In these                         or authenticity of the information. If the
                                         accuracy of the SSN (or other non-                      circumstances, an institution will need               source institution makes any further
                                         directory information) supplied with the                to return a record to its identified source           disclosures of the record or information,
                                         request.                                                to be able to verify its authenticity. The            it must record them.
                                            We recognize that with a large                       final regulations permit a targeted                      Changes: None.
                                         database of student information, there                  release of records back to the stated
                                         may be some loss of ability to identify                                                                       Additional Changes to the Definition of
                                                                                                 source for verification purposes in order
                                         students who have common names if                                                                             Disclosure
                                                                                                 to provide schools with the flexibility
                                         SSNs are not used to help identify the                  needed for this process while preserving                 Comment: Several commenters
                                         individual. However, schools that do                    a more general prohibition on the                     requested additional changes to the
                                         not use SSNs supplied by a party                        release of information from education                 definition of disclosure. One commenter
                                         requesting directory information, either                records.                                              requested that any transfer of education
                                         because the student has not provided                       We do not agree that the term                      records to a State’s longitudinal data
                                         written consent or because the school is                disclosure as proposed in the NPRM is                 system not be considered a disclosure.
                                         not certain that the written consent                    too broad and could lead to the                       Several commenters requested that
                                         includes consent for the school to                      improper release of highly sensitive                  additional changes be made so that a
                                         disclose the student’s SSN, generally                   documents to anyone claiming to be the                school could provide current education
                                         may use the student’s address, date of                  creator of the record. School officials               records of students back to the students’
                                         birth, school, class, year of graduation,               have not advised us that they have had                former schools or districts. A
                                         and other directory information to                      problems receiving IEP records and                    commenter recommended excluding
                                         identify the student or locate the                      other highly sensitive materials from                 from the definition of disclosure
                                         student’s records.                                      parties who did not in fact create or                 statistical information that is personally
                                            Changes: None.                                       provide the record. Therefore, we do not              identifiable because of small cell sizes
                                                                                                 believe that the proposed definition of               when the recipient agrees to maintain
                                         (c) Disclosure (§ 99.3)                                                                                       the confidentiality of the information.
                                                                                                 disclosure is too broad.
                                            Comment: Two commenters said that                       The commenters are correct that the                   Discussion: The revised definition of
                                         the proposal to revise the definition of                return of an education record to its                  disclosure, which excludes the return of
                                         disclosure to exclude the return of a                   source does not have to be recorded,                  a document to its stated source, clarifies
                                         document to its source was too broad                    because it is not a disclosure. We do not             that information provided by school
                                         and could lead to improper release of                   consider this problematic, however,                   districts or postsecondary institutions to
                                         highly sensitive documents, such as an                  because the information is merely being               State educational authorities, including
                                         individualized education program (IEP)                  returned to the party identified as its               information maintained in a
                                         contained in a student’s special                        source. This is similar to the situation              consolidated student records system,
                                         education records, to anyone claiming                   in which a school is not required under               may be provided back to the original
                                         to be the creator of a record. One of the               the regulations to record disclosures of              district or institution without consent.
                                         commenters stated that changing the                     education records made to school                      There is no statutory authority,
                                         definition was unnecessary, as schools                  officials with legitimate educational                 however, to exclude from the definition
                                         already have a means of verifying                       interests. As in that instance, there is no           of disclosure a school district’s or
                                         documents by requesting additional                      direct notice to a parent or student of               institution’s release or transfer of
                                         copies from the source. Both                            either the disclosure of the record or the            personally identifiable information from
                                         commenters also expressed concern                       information in the record. We also                    education records to its State
                                         that, because recordation is not                        believe that if a questionable document               longitudinal data system. (We discuss
                                         required, a parent or eligible student                  is deemed to be inauthentic by the                    the disclosure of education records in
                                         will not be aware that the verification                 source, the student will be informed of               connection with the development of
                                         occurred.                                               the results of the authentication process             consolidated, longitudinal data systems
                                            We also received comments of strong                  by means other than seeing a record of                in our response to comments on
                                         support for the proposed change to the                  the disclosure in the student’s file.                 redisclosure and recordkeeping
jlentini on PROD1PC65 with RULES2

                                         definition of disclosure. The                           There appears to be little value in                   requirements elsewhere in this
                                         commenters stated that this change,                     notifying a parent or student that a                  preamble.) Likewise, there is no
                                         targeted to permit the release of records               document was suspected of being                       statutory authority to exclude from the
                                         back to the institution that presumably                 fraudulent if the document is found to                definition of disclosure the release of
                                         created them, will enhance an                           be genuine and accurate.                              personally identifiable information from

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00006   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations                                       74811

                                         education records to parties that agree to              opportunity to challenge the content                  confidential information, such as
                                         keep the information confidential. (See                 because the information is not an                     special education diagnoses,
                                         our discussion of personally identifiable               education record under FERPA.                         educational supports, or mental or
                                         information and de-identified records                      Discussion: It has long been the                   physical health and treatment
                                         and information elsewhere in this                       Department’s interpretation that records              information. Our changes to the
                                         preamble.)                                              created or received by an educational                 definition were intended to clarify that
                                            The revised regulations do not                       agency or institution on a former                     schools may not disclose this
                                         authorize the disclosure of education                   student that are directly related to the              information to the media or other
                                         records to third parties who are not                    individual’s attendance as a student are              parties, without consent, simply
                                         identified as the provider or creator of                not excluded from the definition of                   because a student is no longer in
                                         the record. For example, a college may                  education records under FERPA, and                    attendance at the school at the time the
                                         not send a student’s current college                    that records created or received on a                 record was created or received. A parent
                                         records to a student’s high school under                former student that are not directly                  or eligible student who wishes to share
                                         the revised definition of disclosure                    related to the individual’s attendance as             the student’s own records with the
                                         because the high school is not the stated               a student are excluded from the                       media or other parties is free to do so.
                                         source of those records. (We discuss this               definition and, therefore, are not                       Neither FERPA nor the regulations
                                         issue elsewhere in the preamble under                   ‘‘education records.’’ The proposed                   contains a provision for a parent or
                                         Disclosure of Education Records to                      regulations in paragraph (b)(5) were                  eligible student to challenge information
                                         Students’ Former Schools.)                              intended to clarify the use of this                   that is not contained in an education
                                            Changes: None.                                       exclusion, not to change or expand its                record. FERPA does not prohibit a
                                                                                                 scope.                                                parent or student from using other
                                         (d) Education Records                                      Our use of the phrase ‘‘directly related           venues to seek redress for collection and
                                         (1) Paragraph (b)(5)                                    to the individual’s attendance as a                   release of information in non-education
                                                                                                 student’’ to describe records that do not             records.
                                            Comment: Several commenters                          fall under this exclusion from the                       Changes: None.
                                         supported our proposal to clarify the                   definition of education records is not
                                         existing exclusion from the definition of                                                                     (2) Paragraph (b)(6)
                                                                                                 inconsistent with the term ‘‘personally
                                         education records for records that only                 identifiable’’ as used in other parts of                Comment: We received several
                                         contain information about an individual                 the regulations and should not be                     comments supporting the proposed
                                         after he or she is no longer a student,                 confused. The term ‘‘personally                       changes to the definition of education
                                         which we referred to as ‘‘alumni                        identifiable information’’ is used in the             records that would exclude from the
                                         records’’ in the NPRM, 73 FR 15576.                     statute and regulations to describe the               definition grades on peer-graded papers
                                         One commenter suggested that the term                   kind of information from education                    before they are collected and recorded
                                         ‘‘directly related,’’ which is used in the              records that may not be disclosed                     by a teacher. These commenters
                                         amended definition in reference to a                    without consent. See 20 U.S.C. 1232g(b);              expressed appreciation that this revision
                                         student’s attendance, is inconsistent                   34 CFR 99.3, 99.30. While ‘‘personally                would be consistent with the U.S.
                                         with the use of the term ‘‘personally                   identifiable information’’ maintained by              Supreme Court’s decision on peer-
                                         identifiable’’ in other sections of the                 an agency or institution is generally                 graded papers in Owasso Independent
                                         regulations and could cause confusion.                  considered an ‘‘education record’’ under              School Dist. No. I–011 v. Falvo, 534 U.S.
                                            One commenter asked whether a                        FERPA, personally identifiable                        426 (2002) (Owasso). Two commenters
                                         postsecondary school could provide a                    information does not fall under this                  asked how the provision would be
                                         student’s education records from the                    exclusion from the definition of                      applied to the use of group projects and
                                         postsecondary school to a secondary                     education records if the information is               group grading within the classroom.
                                         school that the student attended                        not directly related to the student’s                   Discussion: The proposed changes to
                                         previously.                                             attendance as a student. For example,                 the definition of education records in
                                            Several commenters objected to the                   personally identifiable information                   paragraph (b)(6) are designed to
                                         proposed regulations because, according                 related solely to a student’s activities as           implement the U.S. Supreme Court’s
                                         to the commenters, the regulations                      an alumnus of an institution is excluded              2002 decision in Owasso, which held
                                         would expand the records subject to                     from the definition of education records              that peer grading does not violate
                                         FERPA’s prohibition on disclosure of                    under this provision. We think that the               FERPA. As noted in the NPRM, 73 FR
                                         education records without consent. A                    term ‘‘directly related’’ is clear in this            15576, the Court held in Owasso that
                                         journalist stated that the settlement                   context and will not be confused with                 peer grading does not violate FERPA
                                         agreement cited in the NPRM is an                       ‘‘personally identifiable.’’                          because ‘‘the grades on students’ papers
                                         example of a record that should be                         A postsecondary institution may not                would not be covered under FERPA at
                                         excluded from the definition and that                   disclose a student’s postsecondary                    least until the teacher has collected
                                         schools already are permitted to protect                education records to the secondary                    them and recorded them in his or her
                                         too broad a range of documents from                     school previously attended by the                     grade book.’’ 534 U.S. at 436.
                                         public review because the documents                     student under this provision because                     As suggested by the Supreme Count
                                         are education records. The commenter                    these records are directly related to the             in Owasso, 534 U.S. at 435, FERPA is
                                         stated that information from education                  student’s attendance as a student at the              not intended to interfere with a
                                         records such as a settlement agreement                  postsecondary institution. (We discuss                teacher’s ability to carry out customary
                                         is newsworthy, unlikely to contain                      this issue further under Disclosure of                practices, such as group grading of team
                                         confidential information, and that                      Education Records to Students’ Former                 assignments within the classroom. Just
                                         disclosure of such information provides                 Schools.)                                             as FERPA does not prevent teachers
jlentini on PROD1PC65 with RULES2

                                         a benefit to the public. Another                           We do not agree that documents such                from allowing students to grade a test or
                                         commenter expressed concern that the                    as settlement agreements are unlikely to              homework assignment of another
                                         regulations allow schools to collect                    contain confidential information. Our                 student or from calling out that grade in
                                         negative information about a former                     experience has been that these                        class, even though the grade may
                                         student without giving the individual an                documents often contain highly                        eventually become an education record,

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00007   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
74812            Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations

                                         FERPA does not prohibit the discussion                  publicly funded programs. Another                     State auditor in § 99.3 and did not
                                         of group or individual grades on                        commenter recommended that the                        examine which of the various types of
                                         classroom group projects, so long as                    regulations include examination of                    officials, offices, committees, and staff
                                         those individual grades have not yet                    education records by health department                in executive and legislative branches of
                                         been recorded by the teacher. The                       officials to improve compliance with                  State government should be included in
                                         process of assigning grades or grading                  mandated immunization schedules.                      the definition. We are concerned that
                                         papers falls outside the definition of                     The majority of the comments we                    without the narrow definition of audit
                                         education records in FERPA because the                  received with respect to the inclusion of             as proposed in § 99.35(a)(3), the
                                         grades are not ‘‘maintained’’ by an                     local auditors in the proposed definition             proposed definition of State auditor
                                         educational agency or institution at least              of State auditor in § 99.3 supported                  may allow non-consensual disclosures
                                         until the teacher has recorded the                      permitting local auditors to have access              of education records to a variety of
                                         grades.                                                 to personally identifiable information                officials for purposes not supported by
                                           Changes: None.                                        for purposes of auditing Federal or State             the statute. The Department will study
                                                                                                 supported education programs. One                     the matter further and may issue new
                                         (e) Personally Identifiable Information
                                                                                                 commenter said that local auditors                    regulations or guidance, as appropriate.
                                            Comments on the proposed definition                  should not be included in the                         In the interim, the Department will
                                         of personally identifiable information                  definition, while another commenter                   provide guidance on a case-by-case
                                         are discussed elsewhere in this                         stated that auditors for the city health              basis.
                                         preamble under the heading Personally                   department need access to FERPA-                        Changes: We are not including the
                                         Identifiable Information and De-                        protected information to determine the                definition of State auditor in § 99.3 and
                                         identified Records and Information.                     accuracy of claims for payment and                    the provisions related to State auditors
                                         (f) State Auditors and Audits (§§ 99.3                  asked for further clarification on the                and audits in § 99.35(a)(3) in these final
                                         and Proposed 99.35(a)(3))                               issue.                                                regulations.
                                                                                                    Discussion: We explained in the
                                            Comment: Several commenters                          preamble to the NPRM that the statute                 Disclosures to Parents (§§ 99.5 and
                                         supported the clarification in proposed                 allows disclosure of personally                       99.36)
                                         § 99.35(a)(3) that State auditors may                   identifiable information from education                  Comment: A majority of commenters
                                         have access to education records,                       records without consent to authorized                 approved of the Secretary’s efforts to
                                         without consent, in connection with an                  representatives of ‘‘State educational                clarify that, even after a student has
                                         ‘‘audit’’ of Federal or State supported                 authorities’’ in connection with an audit             become an eligible student, an
                                         education programs under the exception                  or evaluation of Federal or State                     educational agency or institution may
                                         to the written consent requirement for                  supported education programs. 73 FR                   disclose education records to the
                                         authorized representatives of ‘‘State and               15577. Legislative history indicates that             student’s parents, without the consent
                                         local educational authorities.’’ All but                Congress amended the statute in 1979 to               of the student, if certain conditions are
                                         one of the commenters, however,                         ‘‘correct an anomaly’’ in which the                   met. Those commenters stated that the
                                         disagreed strongly with the proposed                    existing exception to the consent                     clarification was especially helpful,
                                         definition of audit in § 99.35(a)(3),                   requirement in 20 U.S.C. 1232g(b)(3)                  particularly in light of issues that arose
                                         which was limited to testing compliance                 was interpreted to preclude State                     after the April 2007 shootings at the
                                         with applicable laws, regulations, and                  auditors from obtaining access to                     Virginia Polytechnic Institute and State
                                         standards and did not include the                       education records for audit purposes.                 University (Virginia Tech). A
                                         broader concept of evaluations.                         See H.R. Rep. No. 338, 96th Cong., 1st                commenter stated that the clarification
                                            In general, the commenters said that                 Sess. at 10 (1979), reprinted in 1979 U.S.            will assist emergency management
                                         the proposed definition of audit was too                Code Cong. & Admin. News 819, 824.                    officials on college and university
                                         narrow and would prevent State                          However, because the amended                          campuses and help school officials
                                         auditors from conducting performance                    statutory language in 20 U.S.C.                       know when they can properly share
                                         audits and other services that they                     1232g(b)(5) refers only to ‘‘State and                student information with parents and
                                         routinely provide in accordance with                    local educational officials,’’ the                    students. One commenter expressed
                                         professional auditing standards,                        proposed regulations sought to clarify                support for the proposed regulations,
                                         including the U.S. Comptroller’s                        that this included ‘‘State auditors’’ or              because it has been her experience that
                                         Government Auditing Standards. See                      auditors with authority and                           colleges do not share information with
                                A                         responsibility under State law for                    parents on their children’s financial aid
                                         State legislative auditor noted, for                    conducting audits. Due to the breadth of              or academic status.
                                         example, that 45 State legislatures have                this inclusion, however, the proposed                    Some commenters disagreed with the
                                         established legislative program                         regulations also sought to limit access to            proposed changes. One stated that, due
                                         evaluation offices whose express                        education records by State auditors by                to varying family dynamics, disclosures
                                         purpose is to provide research and                      narrowing the definition of audit.                    should not be limited only to parents,
                                         evaluation for legislative decision                        The Secretary has carefully reviewed               but should also include other
                                         making, and that these offices regularly                the comments and, based upon further                  appropriate family members. Another
                                         use personally identifiable information                 intradepartmental review, has decided                 commenter objected to the phrase in
                                         from education records for their work.                  to remove from the final regulations the              § 99.5(a)(2) that would permit disclosure
                                         Some of the commenters also                             provisions related to State auditors and              to a parent without the student’s
                                         questioned whether financial audits and                 audits in §§ 99.3 and 99.35(a)(3). We                 consent if the disclosure meets ‘‘any
                                         attestation engagements would be                        share the commenters’ concerns about                  other provision in § 99.31(a).’’ The
                                         excluded under the proposed definition.                 preventing State auditors from                        commenter stated that this ‘‘catch-all
jlentini on PROD1PC65 with RULES2

                                            One commenter said that the State                    conducting activities that they routinely             phrase’’ exceeded statutory authority.
                                         auditor provisions in proposed §§ 99.3                  perform under applicable auditing                        Noting the sensitivity of financial
                                         and 99.35(a)(3) should be expanded to                   standards. However, because our focus                 information included in income tax
                                         apply to other non-education State                      was on the narrow definition of audit,                returns, a few commenters raised
                                         officials responsible for evaluating                    we proposed a very broad definition of                concerns about the discussion in the

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00008   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations                                          74813

                                         NPRM in which we explained that an                      health or safety emergency under                      modelform.html and
                                         institution can determine that a parent                 §§ 99.31(a)(10) and 99.36.                            policy/gen/guid/fpco/ferpa/safeschools/
                                         claimed a student as a dependent by                        In most cases, when an educational                 modelform2.html.
                                         asking the parent to supply a copy of the               agency or institution discloses                          With regard to the comment about
                                         parent’s most recent Federal tax return.                education records to parents of an                    high school students who are
                                         Another commenter stated that the                       eligible student, we expect the                       concurrently enrolled in postsecondary
                                         NPRM did not go far enough and                          disclosure to be made under the                       institutions as early as ninth grade,
                                         recommended specifically requiring an                   dependent student provision                           FERPA not only permits those
                                         institution to rely on a copy of a parent’s             (§ 99.31(a)(8)), in connection with a                 postsecondary institutions to disclose
                                         most recent Federal tax return to                       health or safety emergency                            information to parents of the high
                                         determine a student’s dependent status,                 (§§ 99.31(a)(10) and 99.36), or if a                  school students who are dependents for
                                         while another commenter recommended                     student has committed a disciplinary                  Federal income tax purposes, it also
                                         that we change the regulations to                       violation with respect to the use or                  permits high schools and postsecondary
                                         indicate that only the parent who has                   possession of alcohol or a controlled                 institutions who have dually-enrolled
                                         claimed the student as a dependent may                  substance (§ 99.31(a)(15)). This is the               students to share information. Where a
                                         have access to the student’s education                  reason we mention these provisions                    student is enrolled in both a high school
                                         records.                                                specifically in the regulations. However,             and a postsecondary institution, the two
                                            A commenter noted that some States                   inclusion of the phrase ‘‘of any other                schools may share education records
                                         have high school students who are                       provision in § 99.31(a)’’ in § 99.5(a)(2) is          without the consent of either the parents
                                         concurrently enrolled in secondary                      necessary and within our statutory                    or the student under § 99.34(b). If the
                                         schools and postsecondary institutions                  authority because there may be other                  student is under 18, the parents still
                                         as early as ninth grade and supported                   exceptions to FERPA’s general consent                 retain the right under FERPA to inspect
                                         the clarification that postsecondary                    requirement under which an agency or                  and review any education records
                                         institutions may disclose information to                institution might disclose education                  maintained by the high school,
                                         parents of students who are tax                         records to a parent of an eligible                    including records that the college or
                                         dependents.                                             student, such as the directory                        university disclosed to the high school,
                                                                                                 information provision in § 99.31(a)(11)               even though the student is also
                                            Discussion: Parents’ rights under
                                                                                                 and the provision permitting disclosure               attending the postsecondary institution.
                                         FERPA transfer to a student when the
                                                                                                 in compliance with a court order or                      Changes: None.
                                         student reaches age 18 or enters a
                                                                                                 lawfully issued subpoena in
                                         postsecondary institution. 20 U.S.C.                                                                          Outsourcing (§ 99.31(a)(1)(i)(B))
                                                                                                 § 99.31(a)(9).
                                         1232g(d). However, under § 99.31(a)(8),                    As we explained in the NPRM,
                                         an educational agency or institution                                                                          (a) Outside Parties Who Qualify as
                                                                                                 institutions can determine that a parent              School Officials
                                         may disclose education records to an                    claims a student as a dependent by
                                         eligible student’s parents if the student               asking the parent to submit a copy of the                Comment: A few commenters
                                         is a dependent as defined in section 152                parent’s most recent Federal income tax               disagreed with the proposal to expand
                                         of the Internal Revenue Code of 1986.                   return. However, we do not think it is                the ‘‘school officials’’ exception in
                                         Under § 99.31(a)(8), neither the age of a               appropriate to require an agency or                   § 99.31(a)(1)(i)(B) to include contractors,
                                         student nor the parent’s status as                      institution to rely only on the most                  consultants, volunteers, and other
                                         custodial parent is relevant to the                     recent tax return to determine the                    outside parties to whom an educational
                                         determination whether disclosure of                     student’s dependent status because                    agency or institution has outsourced
                                         information from an eligible student’s                  institutions should have flexibility in               institutional services or functions it
                                         education records to that parent without                how to reach this determination. For                  would otherwise use employees to
                                         written consent is permissible under                    instance, institutions may rely instead               perform. They believed that the
                                         FERPA. If a student is claimed as a                     on a student’s assertion that he or she               modifications undermined the plain
                                         dependent for Federal income tax                        is not a dependent unless the parent                  language of the statute and
                                         purposes by either parent, then under                   provides contrary evidence. We agree                  congressional intent. Several other
                                         the regulations, either parent may have                 that financial information on a Federal               commenters supported the proposed
                                         access to the student’s education                       tax return is sensitive information and,              regulations, saying that it was helpful to
                                         records without the student’s consent.                  for that reason, in providing technical               include in the regulations what has
                                            The statutory exception to the consent               assistance and compliance training to                 historically been the Department’s
                                         requirement in FERPA for the disclosure                 school officials, we have advised that                interpretation of the ‘‘school officials’’
                                         of records of dependent students applies                parents may redact all financial and                  exception. A majority of commenters,
                                         only to the parents of the student. 20                  other unnecessary information that                    while not agreeing or disagreeing with
                                         U.S.C. 1232g(b)(1)(H). Accordingly, the                 appears on the form, as long as the tax               the proposed changes in
                                         Secretary does not have statutory                       return clearly shows the parent’s or                  § 99.31(a)(1)(i)(B), raised a number of
                                         authority to apply § 99.31(a)(8) to any                 parents’ names and the fact that the                  issues concerning the proposal.
                                         other family members. However, under                    student is claimed as a dependent.                       Several commenters expressed
                                         § 99.30(b)(3), an eligible student may                     In addition, in the fall of 2007, we               concern that the requirement that an
                                         provide consent for the school to                       developed two model forms that appear                 outside party must perform an
                                         disclose information from his or her                    on the Department’s Family Policy                     institutional service or function for
                                         education records to another family                     Compliance Office (FPCO or the Office)                which the agency or institution would
                                         member. In some situations, such as                     Web site that institutions may adapt and              otherwise use employees is too
                                         when there is no parent in the student’s                provide to students at orientation to                 restrictive and impractical. One
jlentini on PROD1PC65 with RULES2

                                         life or the student is married, a spouse                indicate whether they are a dependent                 commenter noted that some functions
                                         or other family member may be                           and, if not, obtaining consent from the               that a contractor performs could not be
                                         considered an appropriate party to                      student for disclosure of information to              performed by a school official.
                                         whom a disclosure may be made,                          parents:                   Some commenters said we should
                                         without consent, in connection with a                   guid/fpco/ferpa/safeschools/                          clarify the regulations to explain the

                                    VerDate Aug2005   18:13 Dec 08, 2008   Jkt 217001   PO 00000   Frm 00009   Fmt 4701   Sfmt 4700   E:\FR\FM\09DER2.SGM   09DER2
You can also read
Next part ... Cancel