U.S. Department of Education Announces Proposed FERPA Regulations and New Student Privacy Initiatives

By Dana Fattore Crumley, Scott Warner and Amy K. Dickerson 

In April, the U.S. Department of Education (DOE) released a Notice of Proposed Rule Making under the Family Educational Rights and Privacy Act (FERPA), a federal law that protects the privacy of personally identifiable information from student education records.  According to the DOE, the proposed regulations would (a) clarify what disclosures of personally identifiable student information are permissible as states develop and implement longitudinal data systems and (b) increase accountability for institutions and other entities that handle protected student information.  The proposed regulations include the following provisions:

Sharing Information Between and Among Institutions and Other Entities

The proposed amendments would clarify that FERPA permits the disclosure of personally identifiable student information to any entity or person designated by a state or local educational authority to conduct an audit or evaluation or to engage in compliance or enforcement activity with respect to federal or state-supported education programs.  By proposing these changes, the DOE seeks to promote the sharing of information to help evaluate whether elementary and secondary schools are effectively preparing students for college.

According to the DOE, these changes would, for example, clarify that FERPA does not prohibit a private postsecondary institution from making non-consensual disclosures of identifiable student information to a school district about the school district’s former students who are now in attendance at the private postsecondary institution.  This would allow the school district to evaluate the federal or state-supported education programs that the school district administers.  Similarly, the changes would establish that FERPA does not prohibit a postsecondary institution from disclosing identifiable student information, without prior written consent, to a state educational authority (or the authority’s designee) in connection with the state educational authority’s evaluation of whether the state’s school districts effectively prepared their graduates to enroll, persist, and succeed in postsecondary education.

Evaluation of Education Programs

The proposed regulations would permit education programs that are not administered by an educational agency or institution to be evaluated by state or local educational authorities or their designees.  For example, the proposed regulations would permit a state educational authority to designate a state health and human services agency as its authorized representative to conduct an audit or an evaluation of any federal or state-supported education program administered by the health and human services agency, such as the Head Start program.  The regulations would apply to early childhood education programs, elementary and secondary education programs, postsecondary education programs, special education programs, job training programs, career and technical education programs, and adult education programs, regardless of whether an education agency or other agency administers the program.  The proposed amendments would also permit state educational authorities to make non-consensual disclosures of personally identifiable information to an outside organization for purposes of conducting certain specified studies on behalf of an educational authority, including studies designed to improve instruction, so long as there is a written agreement in place that includes certain terms designed to safeguard the privacy of any student information that is disclosed.

Directory Information

Limited Access

Schools would be able to implement directory information policies that limit the ability of certain parties, such as marketers or other vendors, to gain access to student record information even if that information would otherwise qualify as “directory information.”

Student ID Badges

To help promote the safety and security of students, parents or eligible students would not be able to prohibit a school from requiring students to wear or publicly display student identification badges or cards.

Enhanced Enforcement

The proposed regulations would expand the types of entities that are covered by FERPA’s enforcement provisions.  For example, if a third party that is not an educational institution but receives DOE funds, such as a state or local educational authority, violates certain privacy provisions under FERPA, the third party may be prohibited from gaining access to student education records for at least five years.

The DOE is accepting comments on the proposed regulations until May 23, 2011.

In addition to the proposed amendments to the regulations, the DOE also announced several initiatives aimed at protecting student privacy and providing guidance to schools on student record laws and regulations.  As part of these initiatives, the DOE created its first chief privacy officer position and a Privacy Technical Assistance Center  where a series of technical briefs regarding best practices for data security and privacy protections are available.