1 / 38

Proposed Changes to FERPA Regulations

FERPA Basics

talmai
Download Presentation

Proposed Changes to FERPA Regulations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Proposed Changes to FERPA Regulations Jonathan D. Tarnow, Esq. Drinker Biddle & Reath LLP April 8, 2008

    2. FERPA Basics – Where is it? Enacted by § 513 of the Education Amendments of 1974 (P.L. 93-380) FERPA provisions also known as the “Buckley Amendment” Codified at 20 U.S.C. § 1232g (General Education Provisions Act) U.S. Department of Education (“ED”) regulations at 34 C.F.R. Part 99

    3. FERPA Basics – Who is covered? Any public or private agency or institution which is the recipient of funds under any applicable program administered by ED, if: Institution provides educational services and/or instruction to students; or Educational agency is authorized to direct and control public elementary, secondary, or postsecondary educational institutions. Title IV of the HEA is an “applicable program.”

    4. FERPA Basics – Key Concepts Either parent or “eligible student” have the right to inspect and review the student's education records maintained by the agency or institution. Either parent or “eligible student” have the right to request corrections to records which they believe to be inaccurate or misleading.

    5. FERPA Basics – Key Concepts Institution cannot disclose personally identifiable information from student’s education records. Unless properly designated as “directory information” with no opt out by the student, or Student’s prior written consent, or An applicable FERPA exception permits disclosure without consent.

    6. Notice of Proposed Rulemaking Proposed Rule published on March 24, 2008: Revises several key definitions. Implements currently-effective provisions of the USA Patriot Act and the Clery Act. Implements recent U.S. Supreme Court decisions. Codifies into regulations certain guidance previously provided by ED (Family Policy Compliance Office). Clarifies permissive disclosures to parents of eligible students (i.e., students over 18 or attending postsecondary institutions).

    7. Notice of Proposed Rulemaking Proposed Rule (cont’d): Clarifies use of student identifiers in “directory information”. Expressly allows disclosures to entities performing outsourced institutional services/functions. Clarifies permissive re-disclosures of student information by Federal and State officials. Updates investigation and enforcement provisions. Additional technical corrections. Comments due by May 8, 2008.

    8. Definition of Attendance FERPA does not cover persons who have not been in attendance as a student. Current regulatory definition of “attendance” does not address distance education delivery methods. Proposed Rule: Definition would specifically include attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students not physically present in classroom.

    9. Definition of Directory Information FERPA allows disclosure, without student consent, of certain information designated by a school as directory information. Annual notice condition must be met. Opt-out condition must be met. Current regulations do not specify whether a student’s SSN, ID number or personal identifier for use in electronic systems may be designated and disclosed as directory information.

    10. Definition of Directory Information Proposed Rule: SSN and other ID numbers cannot be designated directory information. Schools may designate as directory information a user ID or other unique identifier used by the student to access or communicate in electronic systems. Condition: User ID or other unique identifier must not permit access to education records covered by FERPA except when combined with other authenticating information known only to the student (e.g., another separate password or PIN).

    11. Definition of Disclosure (regarding originating party) Current regulations do not address the return of records by an institution to the outside party that created or provided them. Proposed Rule: “Disclosure” does not include returning an education record, or personally identifiable information from an education record, to the party identified as having provided or created the record. Useful in verifying authenticity of diplomas and transcripts without having to involve the student.

    12. Definition of Education Records (regarding former students) Current regulations specify that “education records” do not include records that only contain information about an individual after he or she is no longer a student. Proposed Rule: Clarifies that exclusion applies to records created or received by an institution after an individual is no longer a student in attendance and are not directly related to the individual’s attendance as a student. Intended to cover only records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities.

    13. Definition of Education Records (regarding peer-graded papers) Current regulations define education records as records that are “maintained by an educational agency or institution,” or a party acting for the educational agency or institution Does not provide any guidance on the status of student-graded tests and assignments before they have been collected and recorded by a teacher. Proposed Rule (Owasso v. Falvo): Peer-graded papers that have not been collected and recorded by a teacher are not considered “maintained by an educational agency or institution” and, therefore, are not education records under FERPA.

    14. Definition of Personally Identifiable Information Current regulations define “personally identifiable information” to include student’s name and other personal identifiers, such as: SSN or student ID number; Indirect identifiers such as the name of the student’s parent or other family members; The address of the student or the student’s family; Personal characteristics or other information that would make the student’s identity easily traceable.

    15. Definition of Personally Identifiable Information Proposed Rule: Remove the phrase “personal characteristics or other information” from the definition. Add to definition: “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” Also include: Information requested by a person who the institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. Also include: Biometric records of the student.

    16. Definition of State Auditors Current regulations do not address the disclosure of education records to State auditors (except those that would be covered by permitted disclosure to State Educational Authorities). Proposed Rule: Define State auditor as a party under any branch of government with authority and responsibility under State law for conducting audits. Clarify that State auditors that are not State or local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs.

    17. Disclosure to Parents of Eligible Students Under FERPA, ether parent or “eligible student” possesses FERPA rights (never both at the same time). Students 18 or older, or in attendance at postsecondary institutions, are “eligible students.” Proposed regulations clarify that institutions may still disclose information about a student to his/her parents: Exception for health or safety emergencies; Exception for alcohol/controlled substance use and student is under age 21. Other exceptions, such as court orders and subpoenas. Students who are dependents for tax purposes.

    18. Disclosure to Entities Performing Outsourced Services/Functions Education records include records maintained by an educational agency or institution or by ‘‘a person acting for’’ the agency or institution. Current regulations allows disclosure of personally identifiable information from education records without consent to school officials within the institution if the institution has determined that they have legitimate educational interests in the information. Current regulations do not address disclosure of education records without consent to contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution.

    19. Disclosure to Entities Performing Outsourced Services/Functions Proposed Rule: “School official” exemption includes contractors, consultants, volunteers, and other outside parties. Outside party must be: Performing services or functions that institution would otherwise use its own employees to perform. Under the direct control of the institution. Subject to the same conditions governing the use and redisclosure of education records that apply to other school officials. Institution must provide notice of outside parties in its annual FERPA notification to students.

    20. Disclosure to Entities Performing Outsourced Services/Functions Records directly related to a student that are maintained by outside party acting for the institution are subject to all FERPA requirements. Institution is responsible for outside parties’ failures to comply with FERPA requirements. For example, no disclosure by outside party without applicable exemption or student consent. The proposed regulations expressly supersede any previous technical assistance guidance issued by ED on this subject.

    21. Access to Education Records by School Officials Current regulations do not specify whether institution must ensure that school officials obtain access to only records in which they have legitimate educational interests. Proposed Rule: Must use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. Combination of appropriate physical, technical, administrative and operational controls. If physical or technological controls are not utilized, policies and procedures regarding access must be effective in limiting access. Reasonableness depends on usual and customary good practices, requiring ongoing review and modification.

    22. Disclosure to School Where Student Seeks or Intends to Enroll Current regulations permit institution may disclose education records, without prior written consent, to another institution where the student seeks or intends to enroll. Proposed Rule: Institution may disclose education records, without consent, to another institution even after a student has already enrolled or transferred. Not just if the student seeks or intends to enroll. Only if the disclosure is for purposes related to the student’s enrollment or transfer.

    23. Disclosure to Organizations Conducting Studies Current regulations allow institution to disclose personally identifiable information from education records, without consent, to organizations conducting studies for or on behalf of the institution for purposes of testing, student aid, and improvement of instruction. Information must be protected to protect individual identities and must be destroyed when no longer needed for study. No explanation of what “for or on behalf of the institution” means.

    24. Disclosure to Organizations Conducting Studies Proposed Rule: Institution must enter into written agreement with recipient organization that specifies the purpose of the study. Institution does not have to agree with or endorse the conclusions or results of the study. Agreement must: Specify that disclosed information may only be used to meet the purposes of the study stated in the written agreement; and Must contain the current restrictions on redisclosure and destruction of information requirements.

    25. Disclosure under USA Patriot Act USA Patriot Act enacted following terrorist attacks of September 11, 2001. Created new statutory exception in FERPA to the normal prior written consent requirement. Regulations never updated although change was effective at time of statutory change. Proposed Rule: Institution served with ex parte order from U.S. Justice Department: Confirm that order is facially valid. No notice to student of receipt. No record of response made to student file.

    26. Disclosure under Campus Sex Crimes Prevention Act Campus Sex Crimes Prevention Act amended FERPA to permit institutions to disclose information regarding registered sex offenders provided to the institution by the State. Receipt of information through appropriate State registry or community notification program. Proposed Rule makes conforming changes to FERPA regulations.

    27. De-Identification of Information Guidance requested about how schools may disclose ‘‘redacted’’ education records that concern students or incidents that are well-known in the school or its community (and thus would be personally identifiable despite the redaction). Proposed Rule: Objective standards under which institutions may release, without consent, education records, or information from education records, that has been “de-identified” through the removal of all personally identifiable information. Key consideration: Whether a reasonable person in the school or its community, without personal knowledge of the relevant circumstances, would be able to identify a student with reasonable certainty.

    28. De-Identification of Information For releases of data, choice of de-identifying method depends on nature of data and should: Recognize that the re-identification risk of any given release is cumulative (i.e., directly related to what has previously been released). Minimize information released in directories to the extent possible (the risk of re-identification from such information has grown as a result of new technologies and methods). Apply a consistent de-identification strategy for all of data releases of a similar type.

    29. Identification and Authentication of Person/Entity Receiving Disclosure Current regulations do not address whether an institution must ensure that it has properly identified a party to whom it discloses personally identifiable information from education records. Proposed Rule: Institution must use reasonable methods to identify and authenticate the identity of recipient before information is provided. Must reduce the risk of unauthorized disclosure to a level that is commensurate with the likely threat and potential harm from wrongful disclosure. Usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of procedures, where appropriate, as standards and technologies change.

    30. Redisclosures of Information Current regulations permit institutions to disclose, without student consent, education records to ED, State and local educational authorities, U.S. Attorney General and U.S. Comptroller General. Proposed Rule: These same officials and authorities can generally redisclose personally identifiable information from education records under the same conditions and exceptions as other holders of such information.

    31. Limitations on Redisclosure Proposed Rule: Any party that has received personally identifiable information from education records from an educational agency or institution, must provide notice to the parent or eligible student before it rediscloses personally identifiable information from the records on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena. Change is intended to clarify which party is responsible for notification before information is provided pursuant to a judicial order or subpoena.

    32. Redisclosure of Information Obtained Under Clery Act Clery Act regulations require institutions to inform both the accuser and the accused of the outcome of any institutional disciplinary proceeding related to an alleged sex offense. May only provide the institution’s final determination and any sanction that is imposed against the accused. Proposed Rule: Expressly provide that such disclosure pursuant to Clery Act requirement is permitted under FERPA.

    33. Health and Safety Emergencies Current regulations provide for: Disclosures of personally identifiable information in connection with health or safety emergency if necessary to protect to student or other individuals. Disclosures concerning disciplinary actions for conduct that posed a safety risk to the student or other members of the school community. Disclosures regarding safety concerns to teachers and other school officials with legitimate educational interest. Under the current regulation, these provisions must be “strictly construed.”

    34. Health and Safety Emergencies Proposed Rule: Removes “strict construction” requirement. Institution may take into account the totality of the circumstances pertaining to a threat (to the safety of a student or to other individuals). If institution determines that there is an articulable and significant threat, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. If there is a rational basis for the institution’s determination at the time it is made, ED will not retroactively substitute its judgment in evaluating the circumstances.

    35. Disclosing Directory Information About Former Students If a student “opts out” from disclosures of what is otherwise determined by the institution to be directory information, how long does that decision to opt out remain in effect? Proposed Rule: An institution must continue to honor a student’s valid opt out from directory information, made while the individual was a student, unless that decision is later rescinded. The opt out continues even after (potentially long after) the individual is no longer a student.

    36. Identification of Students and Communications in Class Current law does not address whether students may use opt out of directory information to prevent certain in-class disclosures of such information. Proposed Rule: Student may not use their right to opt out of directory information disclosures to prevent an institution from disclosing or requiring a student to disclose the student’s name, electronic identifier, or institutional e-mail address in a class in which the student is enrolled. The right to opt out of directory information disclosures does not include a right to remain anonymous in class.

    37. Prohibition on SSN Use with Directory Information Releases Current law does not explicitly address the use of Social Security Numbers to identify students when disclosing or confirming directory information. Proposed Rule: An institution is prohibited from using an SSN to identify or help identify a student or the student’s records when disclosing or confirming directory information: Regardless of whether SSN is used alone or in combination with other data elements; Unless the student has provided written consent for such use in accordance with FERPA consent requirements.

    38. Enforcement Procedures Proposed Rule: Specifies materials that ED may require in order to investigate alleged FERPA violations. Clarifies that complaint to ED need not allege a FERPA violation was caused by an institutional policy or practice; complaint only need allege a violation. Expressly allow ED to request an institution provide a written response and any other relevant information to notice of FERPA violation investigation. Allow ED to issue a findings of FERPA violation without also finding the violation constituted a policy or practice of the institution. Clarify that ED may take any appropriate enforcement action in addition to those specifically listed in the regulations.

    39. Jonathan D. Tarnow, Esq. Drinker Biddle & Reath LLP 1500 K Street, NW Washington, DC 20005 phone: 202-842-8800 fax: 202-842-8465 Email: jonathan.tarnow@dbr.com Web: www.drinkerbiddle.com/education

More Related