On December 2, 2011, the United States Department of Education (“Department”) issued revised regulations for the Family Educational Rights and Privacy Act (“FERPA”), the federal law that protects the privacy of education records. These new regulations went into effect January 3, 2012. Below is a brief summary of the most significant revisions to existing FERPA regulations. A complete copy of the final regulations may be accessed here.

Overview of the Significant Changes in the New Regulations

The primary focus of the most recent revisions to FERPA was to facilitate the disclosure of student information for the purpose of evaluating the effectiveness of publicly funded educational programs. As a general rule, FERPA requires that local educational agencies (“LEAs”) have prior written consent from a parent or eligible student before confidential student information can be lawfully disclosed to any third parties. FERPA sets out enumerated exceptions to this requirement. Among these exceptions are exceptions to allow disclosure of student information in connection with audits and evaluations and/or to outside organizations conducting studies for or on behalf of an educational agency. See 34 C.F.R. §§ 99.31(a)(3); 99.31(A)(6) and 99.35. Under prior regulations, there were many barriers to disclosing student information under the audit and evaluation exception and/or studies exception. As a result, educational authorities had a difficult time collecting and using student data to evaluate the effectiveness of educational programs. The amended regulations aim to remove these barriers by affording states and local educational authorities the flexibility to effectively share student data in order to assess and improve educational programs. To accomplish this objective, the revised regulations now provide definitions for the terms “authorized representative” and “education program” in an effort to clarify the circumstances where state educational agencies (hereinafter “SEAs”) and local educational agencies (hereinafter “LEAs”) may disclose confidential student data, in connection with the audit and evaluation exception and the studies exception set forth in FERPA.

While allowing SEAs and LEAs to disclose student data more effectively was a critical piece of the amendments, the Department had to balance that objective with the need to protect the safety of student information. As a result, the revised regulations now set forth in great detail the requirements for an LEA to enter into written agreement when educational authorities make disclosures in connection with such audits, evaluations and studies.

Additionally, the regulations made amendments to the directory information exception in two ways: first, by clarifying that parents and students may not, by opting out of directory information, refuse to wear or display a student identification card or badge; and secondly, by allowing schools to adopt limited directory information policies. Finally, the new regulations strengthen the enforcement provisions set forth in FERPA.

The Defining of “Authorized Representative” and “Educational Programs”

A significant change to the regulations was the adding of definitions to two previously undefined terms, i.e. “authorized representative” and “education program.”
By defining these terms, the Department has expanded the organizations that can receive and review student data for the purposes of conducting the audits, evaluations or studies mentioned above to evaluate the effectiveness of education programs. In the past, the Department had not defined the term “authorized representative” and took the position that educational authorities may only disclose such information to entities or organizations under their direct control (i.e. employees or contractors). Under this rigid stance, a SEA was therefore barred from disclosing personally identifiable student information from education records to many state agencies in connection with useful and effective audits, evaluations or studies. Under the new regulations, however, an authorized representative is defined broadly to include “any entities or individuals designated by a State and local educational authority to conduct — with respect to Federal or State supported education programs– any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs.” See 34 C.F.R. § 99.3. Similarly, “education program” is defined broadly to include “any program that is principally engaged in the provision of education, including but not limited to, early childhood education, elementary and secondary education, post secondary education, special education, job training, career and technical education, and any program administrated by an educational agency or institution.” Id.

By making these definitions broad, the Department envisions that both states and local educational institutions will be able to track both the educational progress and deficiencies of students across their states from pre-kindergarten though college. As articulated by the Department in a recent press release, this change will help “policymakers determine if state and federally funded education programs are adequately preparing children for success in the next stage of life…[s]tates will be able to determine which early childhood programs prepare kids for kindergarten. High school administrators will now be able to tell how their graduates did in college.” See posting: U.S. Education Department announces New Measures to Safeguard Student Privacy, available at http://www.ed.gov/news  

Written Agreements

Previous regulations required that a LEA enter into a written agreement with organizations conducting such audits, studies or evaluations. See 34 C.F.R. §99.31 (a)(6)(iii)(C); 34 C.F.R.§99.35(a)(3); Family Educational Rights and Privacy Act, 76 Fed. Reg. 75647. Under the revised regulations, these written agreements under the audit or evaluation exception and the studies exception are slightly different and it will be important to understand the distinctions when entering into such an agreement. To assist LEAs, the Department has published an extensive list of the best practices which suggest that such agreements contain certain terms, including but not limited to, the following: (1) agreements not to re-disclose personally identifiable information; (2) a provision to identify penalties under state law should the organization breach any confidentiality rights of students; (3) maintaining the right to audit the entity to which a school district has contracted with and disclosed such information; (4) plans to handle a data breach, and; (5) clear terms for the method of documenting data instruction. Family Educational Rights and Privacy Act, 76 Fed. Reg. 75649.

It is important to note too that when an educational authority discloses education records under the audit or evaluation exception, it is required to use “reasonable methods” to ensure that the authorized representative receiving the information is FERPA-compliant. See 34 C.F.R. § 99.35(a)(2). The Department advises that this can be done in a variety of ways, including ensuring that the proposed audit is legitimate and including explicit language in the written agreement to confirm that the authorized representative receiving the information may only use the personally identifiable student information from the education records for the limited purpose of conducting the audit or evaluation. See Family Educational Rights and Privacy Act, 76 Fed. Reg. 75648.

Directory Information

The new regulations contain minor modifications to the existing definition of “directory information” and the requirements relating to directory information. Under FERPA, “directory information” is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” 34 C.F.R. §99.3. The revised regulations expand the definition of directory information by explicitly allowing school districts to designate student identification numbers as directory information for the limited purposes of displaying a student identification card or student badge. The identification number, however, may not be the only identifier used when obtaining access to educational records or data. Significantly, the new regulations clarify that parents and/or eligible students may not use the right to opt out of directory information disclosures to prohibit schools from requiring students to wear or display an identification card or badge. School officials are reminded, however, that parents and eligible students must be properly notified of the designation of any information as directory information. Family Educational Rights and Privacy Act, 76 Fed. Reg. 75642; 34 C.F.R. §99.37.

On a related note, the new regulations provide school districts with the option to adopt a limited directory information policy. Such a policy may allow for the disclosure of directory information to specific parties, for specified reasons, or for both. Parents and/or eligible students must receive public notice of this limited policy. The purpose behind this amendment was to clarify any uncertainty of the interplay between FERPA and state sunshine laws, known in Connecticut as the Freedom of Information Act (“FOIA”), and when and with whom basic student information could and should be disclosed.

Enforcement Provisions

Finally, the new regulations further strengthen the enforcement provisions set forth in FERPA. Specifically, the Department clarifies that the compliance and enforcement procedures set forth in FERPA apply not only to educational agencies and institutions, but also to other entities that are recipients of Department funds, despite having no students in attendance, (i.e., non-profits, state educational agencies, student loan lenders, etc.). The amended regulations hold such entities more accountable for FERPA violations, including the misuse and abuse of confidential student information. Family Educational Rights and Privacy Act, 76 Fed. Reg. 75638.

In response to these recent changes to FERPA, we recommend that school districts and other educational institutions review the new regulations in conjunction with their existing student records policies to ensure that school policies and practices reflect updated requirements for maintaining and disclosing student information.

Download printable PDF.