[Federal Register Volume 69, Number 77 (Wednesday, April 21, 2004)]
[Rules and Regulations]
[Pages 21670-21672]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 04-9054]



[[Page 21669]]

-----------------------------------------------------------------------

Part V





Department of Education





-----------------------------------------------------------------------



34 CFR Part 99



Family Educational Rights and Privacy Act; Final Rule

Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004 / 
Rules and Regulations

[[Page 21670]]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1855-AA00


Family Educational Rights and Privacy Act

AGENCY: Office of Innovation and Improvement; Department of Education.

ACTION: Final regulations.

-----------------------------------------------------------------------

SUMMARY: The Secretary amends 34 CFR part 99 to implement the 
Department's interpretation of the Family Educational Rights and 
Privacy Act (FERPA) identified through administrative experience as 
necessary for proper program operation. These final regulations provide 
general guidelines for accepting ``signed and dated written consent'' 
under FERPA in electronic format.

DATES: These regulations are effective May 21, 2004.

FOR FURTHER INFORMATION CONTACT: Kathleen Wolan, U.S. Department of 
Education, 400 Maryland Avenue, SW., room 2W115, Washington, DC 20202-
5901. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), you may 
call the Federal Information Relay Service (FIRS) at 1-800-877-8339.
    Individuals with disabilities may obtain this document in an 
alternative format (e.g., Braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

SUPPLEMENTARY INFORMATION: On July 28, 2003, the Secretary published a 
notice of proposed rulemaking (NPRM) for this amendment in the Federal 
Register (68 FR 44420). In the preamble to the NPRM, we invited 
interested persons to submit comments concerning the proposed change. 
We proposed to add Sec.  99.30(d) in order to provide general 
guidelines for educational agencies and institutions that choose to 
meet the requirements of Sec.  99.30 with records and signatures in 
electronic format.
    We reviewed guidance for electronic signatures recently published 
by a variety of Federal Government sources, including the Office of 
Management and Budget (OMB), the General Services Administration, and 
the National Institute for Standards and Technology. Based on that 
review and comments received from school officials, we believe it is 
necessary to modify these final regulations. We modified these 
regulations to reflect the definition of ``electronic signature'' 
established in the Government Paperwork Elimination Act (GPEA), Public 
Law 105-277, Title XVII, Section 1710.
    Electronic signatures are an area of rapidly evolving technology. 
These modified regulations provide more fluid and flexible standards 
for schools that choose to implement a process for accepting electronic 
signatures. These modified regulations permit schools to take advantage 
of changing technology as it may become available, whether the change 
concerns additional security provisions or enhanced customer service.

Analysis of Comments and Changes

    In response to the Secretary's invitation in the NPRM, 16 parties 
submitted comments on the proposed regulations. We publish an analysis 
of the comments and of the changes in the regulations since publication 
of the NPRM as an appendix at the end of these final regulations. We 
discuss substantive issues under the sections of the regulations to 
which they pertain. Generally, we do not address technical and other 
minor changes and suggested changes the law does not authorize the 
Secretary to make. However, we have reviewed these regulations since 
publication of the NPRM and have made changes as follows:
    Acceptance of signature in electronic form (Sec.  99.30)
    Comments: None.
    Discussion: Electronic formats for signatures and documents are 
changing rapidly and substantially in response to evolving technologies 
and public acceptance. We wish to provide the widest possible 
flexibility for schools to adapt to such changes yet retain a 
methodology that operates within FERPA's requirements for proper 
disclosure of education records. Because FERPA applies to educational 
agencies and institutions at all levels, we do not want these 
regulations to inadvertently impose standards on elementary and 
secondary schools that may be valid only for postsecondary schools 
under Federal student aid programs.
    Based on our review of standards acceptable to other areas of the 
Federal Government, including OMB circulars and Federal Student Aid 
(FSA) guidance for electronic student loan transactions, as well as 
standards established by laws such as the Electronic Signatures in 
Global and National Commerce Act (E-Sign) and GPEA, we believe these 
modified regulations will more easily permit schools to adapt to 
changing standards in the areas of electronic signatures and documents.
    Changes: We have revised these regulations to be consistent with 
other Federal Government standards for ``electronic signatures.''

Executive Order 12866

    We have reviewed these final regulations in accordance with 
Executive Order 12866. Under the terms of the order we have assessed 
the potential costs and benefits of this regulatory action.
    The potential costs associated with these final regulations are 
those resulting from statutory requirements and those we have 
determined to be necessary for administering this program effectively 
and efficiently.
    In assessing the potential costs and benefits--both quantitative 
and qualitative--of these final regulations, we have determined that 
the benefits of the regulations justify the costs.

Summary of Potential Costs and Benefits

    We summarized the potential costs and benefits of these final 
regulations in the preamble to the NPRM (68 FR 44421).

Paperwork Reduction Act of 1995

    These regulations do not contain any information collection 
requirements.

Assessment of Educational Impact

    In the NPRM we requested comments on whether the proposed 
regulations would require transmission of information that any other 
agency or authority of the United States gathers or makes available.
    Based on the response to the NPRM and on our review, we have 
determined that these final regulations do not require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.

Electronic Access to This Document

    You may view this document, as well as all other Department of 
Education documents published in the Federal Register, in text or Adobe 
Portable Document Format (PDF) on the Internet at the following site: 
http://www.ed.gov/news/fedregister.
    To use PDF you must have Adobe Acrobat Reader, which is available 
free at this site. If you have questions about using PDF, call the U.S. 
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in 
the Washington, DC, area at (202) 512-1530.
    You may also find these regulations, as well as additional 
information about FERPA, on the following Web site: http://www.ed.gov/
policy/gen/guid/fpco/index.html.



[[Page 21671]]


    Note: The official version of this document is the document 
published in the Federal Register. Free Internet access to the 
official edition of the Federal Register and the Code of Federal 
Regulations is available on GPO Access at: http://www.gpoaccess.gov/
nara/index.html.

(Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

    Administrative practice and procedure, Education, Information, 
Parents, Privacy, Records, Reporting and recordkeeping requirements, 
Students.

    Dated: April 2, 2004.
Rod Paige,
Secretary of Education.

0
For the reasons discussed in the preamble, the Secretary amends part 99 
of title 34 of the Code of Federal Regulations as follows:
0
1. The authority citation for part 99 continues to read as follows:

    Authority: 20 U.S.C. 1232g, unless otherwise noted.

0
2. Section 99.30 is amended by adding a new paragraph (d) to read as 
follows:


Sec.  99.30  Under what conditions is prior consent required to 
disclose information?

* * * * *
    (d) ``Signed and dated written consent'' under this part may 
include a record and signature in electronic form that--
    (1) Identifies and authenticates a particular person as the source 
of the electronic consent; and
    (2) Indicates such person's approval of the information contained 
in the electronic consent.

Appendix

Analysis of Comments and Changes

    Note: The following appendix will not appear in the Code of 
Federal Regulations.

Use at Multiple School Levels

    Comments: One commenter asked whether the proposed regulations 
apply only to eligible students at postsecondary institutions.
    Discussion: FERPA gives the right to consent to disclosure of 
education records to parents of minor children at the elementary and 
secondary school levels, and to parents of children with 
disabilities who receive services under Part B or Part C of the 
Individuals with Disabilities Education Act (IDEA). When a student 
turns 18 years of age or attends a postsecondary institution at any 
age, the student is considered an ``eligible student'' under FERPA. 
The right to consent under FERPA transfers under either of those two 
conditions from the parent to the eligible student. Although the 
term ``eligible student'' will be used throughout this document, 
educational agencies and institutions at all levels may use these 
regulations to accept electronic signatures.
    Change: None.

Specific Methodologies

    Comments: Several commenters asked for more specific guidance on 
authentication methods and technologies that may be used.
    Discussion: As explained in the preamble to the NPRM, the 
regulations are purposefully narrow in scope and intended to be 
technology-neutral (page 44420). While we will issue additional 
guidance that will include further examples of an acceptable 
process, we do not want to limit the flexibility of schools in this 
area of rapid technological change.
    Change: None.

Safe Harbor

    Comments: Several commenters support the use of the FSA 
standards for electronic signatures in electronic student loan 
transactions (FSA Standards) as a ``safe harbor'' provision for 
acceptance of electronic signatures in FERPA. Several other 
commenters objected to the FSA Standards as being too rigorous for 
the perceived level of risk of improper disclosure. The FSA 
Standards may be viewed on the Internet at the following site: 
http://www.ifap.ed.gov/dpcletters/gen0106.html.
    Discussion: The preamble to the NPRM stated (page 44421) that 
the FSA Standards would be the ``safe harbor'' provision. A ``safe 
harbor'' is not set at the minimally acceptable level of security. 
Due to the nature of the information that may be disclosed and the 
potential harm a student may suffer from an unauthorized disclosure, 
we believe the ``safe harbor'' provision is not unduly rigorous. 
Schools retain the flexibility to choose to implement a system that 
meets the ``safe harbor'' provisions or to choose to implement 
another system to meet the new FERPA provisions.
    However, schools should be reminded that Congress has also, 
through the Gramm-Leach-Bliley Act (GLB) (Pub.L. 106-102, November 
12, 1999), imposed additional privacy restrictions on financial 
institutions, which include postsecondary institutions, requiring 
institutions to protect against unauthorized access to, or use of, 
consumer records. The Federal Trade Commission's (FTC) rule on the 
privacy of consumer financial information provides that 
postsecondary institutions that are complying with FERPA to protect 
the privacy of their student financial aid records will be deemed in 
compliance with the FTC's rule. (65 FR 33646, 33648 (May 24, 2000)). 
This exemption applies to notice requirements and the restrictions 
on a financial institution's disclosure of nonpublic personal 
information to nonaffiliated third parties in Title V of GLB. 
However, postsecondary institutions are not exempt from the FTC 
final rule implementing section 501 of GLB on Safeguarding Customer 
Information. (67 FR 368484 (May 23, 2002)). Financial institutions, 
including postsecondary institutions, are required to have adopted 
an information security program by May 23, 2003, under the FTC rule.
    Thus, while schools have the maximum flexibility in choosing a 
system that meets FSA's ``safe harbor'' provisions or another 
process for authenticating Personal Identification Number (PIN) 
numbers under FERPA, postsecondary institutions should keep these 
other Federal requirements in mind when implementing such systems.
    Change: None.

Applicability of FSA Standards

    Comments: One commenter stated that it was confusing to apply 
the situations and terminology in the FSA Standards to FERPA. The 
commenter suggested that we issue a separate guide on FERPA 
standards.
    Discussion: The FSA Standards do not apply directly to FERPA 
because some actions are imposed only on lenders or borrowers of 
financial aid. For example, the FSA Standards require that paper 
copies of transactions be provided to a student borrower at no cost 
in some circumstances, and lenders are required to obtain a 
borrower's specific consent to conduct loan transactions 
electronically. Neither of those circumstances has parallels within 
FERPA.
    We agree that some circumstances within the FSA Standards do not 
relate directly to FERPA. While schools are not required by FERPA to 
follow the FSA Standards, we believe that schools may use the set-up 
and security measures described in the FSA Standards, particularly 
sections 3 through 7, as guidance for security measures in a system 
using electronic records and signatures under FERPA. We do not plan 
to issue a separate FERPA standards document, but we will clarify 
these items in additional guidance.
    Change: None.

Use of ``Trusted Third Party'' in Identification Verification

    Comments: A commenter expressed a belief that disclosure by a 
school of student information without prior written consent to a 
``trusted third party'' as part of an identification verification 
process may be in violation of FERPA. This commenter stated that the 
conflict arises because the FSA Standards specify that the third 
party may not be an agent of the school.
    Discussion: FSA authenticates student identification information 
with the Social Security Administration as a ``trusted third 
party.'' FERPA's consent provisions do not apply to transactions 
between a student and FSA.
    In situations where a school is disclosing education records to 
a third party, FERPA's consent provisions apply. When the third 
party receiving the information from the school is not an agent for 
the school, FERPA generally requires a school to obtain prior 
written consent before the disclosure is made. Receipt of the prior 
consent would then allow a school to disclose personal information 
for authentication purposes with the records of independent sources 
such as credit reporting agencies or testing companies.
    Schools may also choose to use other processes to authenticate 
identity. For example, a school may require the eligible student to 
present photographic identification issued by a government agency. 
Such photographic identification includes, but is not limited to, a 
State-issued driver's license, a federally-issued passport,

[[Page 21672]]

and other Military, Federal, or State-issued identification cards.
    Change: None.

Issuing a PIN or Password

    Comments: One commenter stated that schools that issue a PIN to 
students as outlined in the FSA Standards can result in a PIN that 
is recorded and accessible to school officials. The commenter is 
concerned that this conflicts with FERPA policy that a PIN is not 
acceptable for use under FERPA if persons other than the student 
have access to the PIN.
    Discussion: The process described in the FSA Standards does not 
permit school officials to access a student's PIN or password. In 
addition, the FSA Standards permit an eligible student to change an 
assigned password or PIN to one of their own choosing. Under the FSA 
Standards, all of the passwords or PINs, whether assigned or 
student-selected, are maintained in a secure database in an 
encrypted manner that is not generally accessible to school 
officials or other parties.
    A school that uses a similar methodology would remain in 
compliance with requirements for the acceptance of an electronic 
signature under FERPA. However, a school may not use a PIN or 
password process that results in a PIN or password that is visible 
and easily accessible to persons other than the eligible student 
because that type of process results in an insecure PIN or password. 
Schools retain the maximum flexibility to implement any appropriate 
methodology.
    Change: None.

Use of Current Systems

    Comments: Several commenters asked whether it is acceptable to 
use existing systems that include sign-on capability, such as campus 
e-mail, admissions, enrollment, and fee payment systems. Several 
commenters also asked if it is acceptable to permit eligible 
students to provide notice of directory information opt-outs by use 
of electronic signatures.
    Discussion: As explained in the preamble to the NPRM, the 
requirements for an electronic signature apply in circumstances 
where a signed and dated written consent is required under FERPA 
(page 44420). Such consent is generally required under FERPA when 
information from education records is to be disclosed to a third 
party, as in the issuance of a transcript to a prospective employer. 
Consent is not a requirement for disclosure of an eligible student's 
own records to the student. A school that wishes to use its current 
system for situations where FERPA consent is required must determine 
whether it provides the required level of security.
    The majority of the systems mentioned by the commenters are 
designed for communication between a school and an eligible student. 
Systems that permit eligible students to view, alter, or update the 
student's own records by electronic means are not the subject of 
these regulations. A school must ensure that the eligible student 
and not some other party is the receiver of the information, but the 
method a school uses to do so is not prescribed by these 
regulations.
    Change: None.

Third-Party Presentation of Electronic Signature

    Comments: Several commenters asked whether the proposed 
regulations are applicable when a third party, not the eligible 
student, presents the electronic signature claimed to be that of the 
eligible student. Two commenters expressed strong support for 
acceptance of electronic signatures presented by third parties, 
primarily when the third party is a government entity or another 
educational agency or institution.
    Discussion: Educational agencies and institutions are 
responsible to ensure that education records are disclosed only in 
accordance with FERPA. Any disclosure of education records to a 
third party, even in accordance with a student's consent, is 
permitted but not required under FERPA. Each agency or institution 
must have the flexibility to decide whether a request for disclosure 
meets the requirements of FERPA and whether the institution wishes 
to make the requested disclosure.
    The FERPA regulations do not require that an eligible student 
provide his or her consent directly to the educational agency or 
institution, and these regulations do not impose a different 
requirement for electronic signatures. We would support an agency's 
or institution's decision to only accept electronic signatures 
presented on behalf of the eligible student by certain third 
parties, such as Federal or State agencies.
    Change: None.

Application of Standards of Other Privacy Laws

    Comments: One commenter suggested that the standards of the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
Privacy Rule for ``protected health information'' be applied to 
personally identifiable information contained in students' education 
records. The commenter was concerned because personally identifiable 
information from students' education records are disclosed by 
educational agencies and institutions to outside third parties who 
have grants to do research. The commenter stated that educational 
agencies and institutions do not recognize the concern for privacy 
of such data.
    Discussion: The HIPAA Privacy Rule, which is administered by the 
Department of Health and Human Services, excludes from the 
definition of ``protected health information'' two categories of 
records that are relevant here: ``education records'' covered by 
FERPA (34 CFR 99.3 ``Education records'') and records described 
under FERPA's medical treatment records provision (34 CFR 99.3 
``Education records''). See 45 CFR 160.103(a). The HIPAA Privacy 
Rule does not cover such records because Congress, through FERPA, 
specifically has addressed how these records should be protected. As 
such, FERPA provides ample protections for these records and schools 
should ensure that health information, as well as other education 
records on students, are not disclosed to outside third parties 
without the consent of the student or under one of the exceptions to 
FERPA's general prior consent rule.
    With regard to the commenter's statement that educational 
agencies and institutions do not recognize the concern for privacy 
of student information, it has been our experience that the majority 
of the Nation's schools do comply with FERPA and strive to protect 
the privacy of information contained in student records. FERPA is 
not a public open records or freedom of information statute. Rather, 
the purpose of FERPA is to protect the privacy interests of parents 
and eligible students in records maintained by educational agencies 
and institutions on the student. These privacy concerns should not 
be viewed as barriers to be minimized and overcome but important 
public safeguards to be protected and strengthened.
    Change: None.

[FR Doc. 04-9054 Filed 4-20-04; 8:45 am]
BILLING CODE 4000-01-P