U.S. Department of Education Issues New FERPA Regulations
In a much anticipated action, the U.S. Department of Education has issued amended regulations for the Family Educational Rights and Privacy Act ("FERPA"). The amendments are aimed at providing greater flexibility in the areas of directory information and sharing data to conduct certain types of studies, audits, and evaluations.1 All amendments became effective on January 3, 2012.
With certain exceptions, FERPA prohibits the release of personally identifiable student information contained in education records without parental consent.2 One of the primary exceptions to this rule involves directory information. Each board of education has the discretion to designate directory information. When it does so, the board is required to provide an annual notice to parents. This notice must inform the parents of what information the board has designated as directory information and it must provide the parents with the opportunity to opt out of the release of such information. Once this procedure has been followed, the district can release directory information without obtaining parental consent unless the parents have opted out.
Increasingly, boards of education have shown a reluctance to broaden the scope of “directory information” because of the existence of the Ohio Public Records Act ("PRA") and similar state laws requiring the disclosure of public records. FERPA prohibits the disclosure of “education records” but does not prohibit the release of directory information. As a result, boards of education must treat directory information about students as a “public record” and supply such information to anyone who makes a public records request for it (unless another exception to the PRA applies).
In order to address this problem, the new regulations allow for the adoption of a limited directory information policy. Under this approach, a board may limit the disclosure of directory information to specific parties, for specific purposes, or both. For example, a district can designate home addresses as directory information for the purpose of preparing a student directory to be supplied to parents. If the district then receives a public records request for home addresses in any other context, the information is not “directory information” for that purpose and its release would be prohibited by FERPA.
Districts that choose to adopt limited directory information policies should consider the routine disclosures that they make in the normal course of everyday business. For instance, districts may wish to ensure that their policies are written in such a way that the district can produce a yearbook or allow the release of the names of the students who made the honor roll.
Finally, the regulations also make clear that parents cannot opt out of directory information to avoid a requirement that their children wear identification badges.
Studies, Audits, and Evaluations
The other major changes to the regulations have to do with two exceptions allowing FERPA-governed entities to share personally identifiable information with third parties, without parental consent, in order to conduct certain types of studies, audits and evaluations.3 The purpose of these regulations is to protect student privacy while allowing the data sharing necessary for effective analysis of educational programs. As a result, the regulations allow state and local educational institutions and entities to enter into agreements with third parties to conduct studies to determine which educational programs are most effective.
These agreements may include a school district contracting with colleges to obtain information on their graduates' performance. With this data, the district can determine which of its educational programs need improvement. The new regulations also take into account the growth of state-wide longitudinal data systems ("SLDS"). SLDS' allow for studies of data across the entire state in order to determine which districts have the most effective educational programs. This, in turn, should allow for an analysis of what makes those programs effective so they can be replicated across the state.
With so much student data moving around, privacy is a natural concern. This issue is primarily addressed in the regulations through the use of mandatory written agreements between the educational unit and the third party. While these agreements are meant to be flexible, there are certain required elements for each agreement, such as a provision that requires the third party to destroy the personally identifiable information once the scope of work is complete. Also, each state and local education authority is required to take reasonable steps to ensure that their authorized representatives are FERPA-compliant. In order to help education authorities achieve this goal, the Department of Education has issued best practices to consider while drafting the required agreements.
Another step the Department is taking is the establishment of a Privacy Technical Assistance Center ("PTAC") and the appointment of a Chief Privacy Officer. The PTAC will coordinate with the Family Policy Compliance Office in all of its FERPA-related work.
The Department of Education, in conjunction with the new regulations, has issued a new model annual notice that districts may use in formulating the notice they provide to parents. The Department also intends to release case studies to explain in more detail how to comply with the new regulations.
- This bulletin does not address Ohio’s statute on confidentiality of student information, Revised Code Section 3319.321. Because of differences in wording between the state and federal laws, analysis under the Ohio statute may sometimes yield a different result.
- Once a student reaches the age of 18, the parents' rights pass to the eligible student. For ease of reference, in this bulletin parental rights also include the rights of eligible students.
- As part of these revisions, a prior provision was removed that required express authority to conduct an audit, evaluation, enforcement, or compliance activity.