U.S. Department of Education Amends its FERPA Regulations to Allow for Certain Additional Student Disclosures
The United States Department of Education (DOE) has completed its administrative procedures and has enacted new regulations that amend current regulations enforcing the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g. These new regulations, which are effective on January 3, 2012, allow for greater disclosures of personal and directory student identifying information and regulate student IDs and e-mail addresses, among other issues. The new regulations are found at 34 CFR, Part 99, sections 99.3, 99.31, 99.5, 99.6 and 99.37. Colleges and universities need to quickly consider the impact of these new regulations upon their current student privacy policies and existing notices. Failure to do so may result in complaints and DOE enforcement proceedings.
FERPA is a longstanding federal statute which provides that a parent or eligible student, if over the age of 18, has a right to inspect and review the student's education records and to have them amended and withdrawn, under certain circumstances. FERPA is applicable to all public K-12 school districts and virtually all post secondary institutions, as they receive federal funds under programs administered by the DOE. FERPA generally prohibits the disclosure of personally identifying information (PII) contained in "education records," without aparent's or student's written consent, to certain third parties. There are a number of statutory exceptions for emergency medical and health reasons and for law enforcement activities, among others. PII includes a student's name, social security number, parents' names, family addresses, birth dates, place of birth, a parent's maiden name, and any other data that make a student's identity easily traceable.
FERPA makes a distinction between PII and "directory information." DOE regulations allow for the disclosure of directory information, without needing a student's or parent's consent, unless the parent or student has opted out of such disclosure. A school subject to FERPA must provide a written notice to parents or students setting forth its disclosure policies concerning directory information with the procedures for opting out and contesting the student's education records.
The New Regulations
A. Directory Information and Student IDs
The new regulations clarify that an institution may, under certain circumstances, designate and disclose student ID numbers, or other unique personal identifiers, as directory information to be displayed on a student’s ID card or badge as long as the ID card is not the sole method of obtaining access to the student’s education records and is used with other credible identifiers. The regulations also provide that a parent or student may not opt out of the disclosure of such directory information.
The DOE left it up to the schools to determine what specifically should be included on a student ID. It also stated that FERPA does not require schools to force students to wear IDs. With regulations enacted in 2008, institutions may use directory information to access online electronic systems and to allow a school to require a student to disclose his/her name, identifying information and institutional e-mail address in and out of class. The DOE further clarified that an institution need not make directory information available on student IDs, but may do so if it so chooses.
B. Studies and Audit and Evaluation Exceptions
The new regulations also allow for the disclosure of PII, without student or parent consent, where institutions have contracted with organizations to conduct studies or audits of the effectiveness of education programs. However, the regulations require a written agreement with the organization containing mandatory provisions intended to guard the privacy of student records. The regulations also provide institutions with detailed, required provisions aimed at preventing PII from ending up in the hands of persons or entities not intended or permitted to receive them, and guidelines for addressing data breaches. A careful review of the regulations is necessary before an institution enters into any agreement to provide PII access to an organization that is conducting a study or an audit and evaluation.
The new regulations contain a model notification of rights form for post secondary institutions to provide to students and parents. Given the changes in the DOE's regulations described in this Alert, current notice forms must be re-examined to determine whether they are in compliance. Also, the DOE's model form has a number of optional provisions that each institution should evaluate based on their specific needs.
FERPA and the DOE's regulations are complex and create the potential for administrative sanctions. The new regulations give expanded authority to institutions to make disclosures, but a careful approach to crafting policies and disclosures is necessary to avoid administrative penalties, as well as possible lawsuits by students and parents.