[Federal Register Volume 76, Number 232 (Friday, December 2, 2011)]
[Rules and Regulations]
[Pages 75603-75660]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-30683]



[[Page 75603]]

Vol. 76

Friday,

No. 232

December 2, 2011

Part II





Department of Education





-----------------------------------------------------------------------





34 CFR Part 99





Family Educational Rights and Privacy; Final Rule

Federal Register / Vol. 76 , No. 232 / Friday, December 2, 2011 / 
Rules and Regulations

[[Page 75604]]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

[DOCKET ID ED-2011-OM-0002]
RIN 1880-AA86


Family Educational Rights and Privacy

AGENCY: Office of Management, Department of Education.

ACTION: Final regulations.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Education (Secretary) amends the regulations 
implementing section 444 of the General Education Provisions Act 
(GEPA), which is commonly referred to as the Family Educational Rights 
and Privacy Act (FERPA). These amendments are needed to ensure that the 
U.S. Department of Education (Department or we) continues to implement 
FERPA in a way that protects the privacy of education records while 
allowing for the effective use of data. Improved access to data will 
facilitate States' ability to evaluate education programs, to ensure 
limited resources are invested effectively, to build upon what works 
and discard what does not, to increase accountability and transparency, 
and to contribute to a culture of innovation and continuous improvement 
in education. The use of data is vital to ensuring the best education 
for our children. However, the benefits of using student data must 
always be balanced with the need to protect student privacy. Protecting 
student privacy helps achieve a number of important goals, including 
avoiding discrimination, identity theft, as well as other malicious and 
damaging criminal acts.

DATES: These regulations are effective January 3, 2012. However, State 
and local educational authorities, and Federal agencies headed by 
officials listed in Sec.  99.31(a)(3) with written agreements in place 
prior to January 3, 2012, must comply with the existing requirement in 
Sec.  99.35(a)(3) to use written agreements to designate any authorized 
representatives, other than employees, only upon any renewal of or 
amendment to the written agreement with such authorized representative.

FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of 
Education, 400 Maryland Avenue SW., Room 2E203, Washington, DC 20202-
8520. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), call the 
Federal Relay Service (FRS), toll-free, at 1-(800) 877-8339.

SUPPLEMENTARY INFORMATION: On April 8, 2011, the Department published a 
notice of proposed rulemaking (NPRM) in the Federal Register (76 FR 
19726). In the preamble to the NPRM, the Secretary stated that the 
proposed changes were necessary to ensure the Department's proper 
implementation of FERPA, while allowing for the effective use of 
student data, and to address other issues identified through the 
Department's experience in administering FERPA.
    Protecting student privacy is paramount to the effective 
implementation of FERPA. All education data holders must act 
responsibly and be held accountable for safeguarding students' 
personally identifiable information (PII) from education records. The 
need for clarity surrounding privacy protections and data security 
continues to grow as statewide longitudinal data systems (SLDS) are 
built and more education records are digitized and shared 
electronically. As States develop and refine their information 
management systems, it is critical that they take steps to ensure that 
student information is protected and that PII from education records is 
disclosed only for authorized purposes and under circumstances 
permitted by law. (When we use the term ``disclose'' in this document, 
we sometimes are referring to redisclosures as well.)
    The amendments reflected in these final regulations establish the 
procedures that State and local educational authorities, and Federal 
agencies headed by officials listed in Sec.  99.31(a)(3) (FERPA-
permitted entities), their authorized representatives, and 
organizations conducting studies must follow to ensure compliance with 
FERPA. The amendments also reduce barriers that have inhibited the 
effective use of SLDS as envisioned in the America Creating 
Opportunities to Meaningfully Promote Excellence in Technology, 
Education, and Science Act (the America COMPETES Act) (Pub. L. 110-69) 
and the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 
111-5). Finally, by expanding the requirements for written agreements 
and the Department's enforcement mechanisms, the amendments help to 
ensure increased accountability on the part of those with access to PII 
from education records.
    These amendments include definitions for two previously undefined 
terms, ``authorized representative'' and ``education program,'' to 
permit greater access by appropriate and authorized parties to 
information on students in order to evaluate the effectiveness of 
education programs. Specifically, we have modified the definition of 
and requirements related to ``directory information'' to clarify (1) 
that the right to opt out of the disclosure of directory information 
under FERPA does not include the right to refuse to wear, or otherwise 
disclose, a student identification (ID) card or badge; (2) that schools 
may implement a limited directory information policy in which they 
specify the parties or purposes for which the information is disclosed; 
and (3) the Department's authority to hold State educational 
authorities and other recipients of Department funds under a program 
administered by the Secretary accountable for compliance with FERPA.
    We believe that the regulatory changes adopted in these final 
regulations provide clarification on many important issues that have 
arisen over time with regard to how FERPA applies to SLDS and to other 
requests for data on student progress. Additionally, educational 
agencies and institutions continue to face considerable challenges 
implementing directory information policies that help them maintain 
safe campuses and protect PII from education records from potential 
misuse, such as identity theft. These final regulations, as well as the 
discussion in the preamble, will assist school officials in addressing 
these challenges in a manner that complies with FERPA. These final 
regulations also respond to the September 2010 U.S. Government 
Accountability Office (GAO) study entitled ``Many States Collect 
Graduates' Employment Information, but Clearer Guidance on Student 
Privacy Requirements Is Needed,'' by clarifying the means by which 
States can collect and share graduates' employment information under 
FERPA.
    Finally, we have discussed with the U.S. Department of Agriculture 
(USDA) the potential effect of these regulations on the use of 
information regarding individual children's eligibility for free or 
reduced price school meals in the National School Lunch and School 
Breakfast Programs (School Meals Programs or SMPs) in connection with 
an audit or evaluation of Federal- or State-supported education 
programs. Congress recognized that sharing of children's eligibility 
information could benefit schools and children participating in the 
SMPs. As a result, section 9(b)(6) of the Richard B. Russell National 
School Lunch Act, as amended (National School Lunch Act) (42 U.S.C. 
1758(b)(6)) permits schools to disclose children's eligibility 
information to persons with a need to know who are associated with a 
Federal or State education program and who will not

[[Page 75605]]

further disclose that information. Because of the importance of 
assuring not only that FERPA requirements are met, but also that all of 
the Federal confidentiality protections in the National School Lunch 
Act are met, the two Departments intend to jointly issue guidance in 
the near future for use by the educational community and by State and 
local administrators of USDA programs.

Notice of Proposed Rulemaking

    In the NPRM, we proposed regulations to:
     Amend Sec.  99.3 to define the term ``authorized 
representative'' to include individuals or entities designated by 
FERPA-permitted entities to carry out an audit or evaluation of 
Federal- or State-supported education programs, or for the enforcement 
of or compliance with Federal legal requirements related to these 
programs (audit, evaluation, or enforcement or compliance activity);
     Amend the definition of ``directory information'' in Sec.  
99.3 to clarify that a unique student identification (ID) number may be 
designated as directory information for the purposes of display on a 
student ID card or badge if the unique student ID number cannot be used 
to gain access to education records except when used in conjunction 
with one or more factors that authenticate the user's identity, such as 
a Personal Identification Number, password, or other factor known or 
possessed only by the authorized user;
     Amend Sec.  99.3 to define the term ``education program'' 
as any program principally engaged in the provision of education, 
including, but not limited to, early childhood education, elementary 
and secondary education, postsecondary education, special education, 
job training, career and technical education, and adult education;
     Amend Sec.  99.31(a)(6) to clarify that FERPA-permitted 
entities are not prevented from redisclosing PII from education records 
as part of agreements with researchers to conduct studies for, or on 
behalf of, educational agencies and institutions;
     Remove the provision in Sec.  99.35(a)(2) that required 
that any FERPA-permitted entity must have legal authority under other 
Federal, State, or local law to conduct an audit, evaluation, or 
enforcement or compliance activity;
     Amend Sec.  99.35(a)(2) to provide that FERPA-permitted 
entities are responsible for using reasonable methods to ensure that 
their authorized representatives comply with FERPA;
     Add a new Sec.  99.35(a)(3) to require that FERPA-
permitted entities must use a written agreement to designate an 
authorized representative (other than an employee) under the provisions 
in Sec. Sec.  99.31(a)(3) and 99.35 that allow the authorized 
representative access to PII from education records without prior 
written consent in connection with any audit, evaluation, or 
enforcement or compliance activity;
     Add a new Sec.  99.35(d) to clarify that in the event that 
the Department's Family Policy Compliance Office (FPCO or Office) finds 
an improper redisclosure in the context of Sec. Sec.  99.31(a)(3) and 
99.35 (the audit or evaluation exception), the Department would 
prohibit the educational agency or institution from which the PII 
originated from permitting the party responsible for the improper 
disclosure (i.e., the authorized representative, or the FERPA-permitted 
entities, or both) access to PII from education records for a period of 
not less than five years (five-year rule);
     Amend Sec.  99.37(c) to clarify that while parents or 
eligible students (students who have reached 18 years of age or are 
attending a postsecondary institution at any age) may opt out of the 
disclosure of directory information, this opt out does not prevent an 
educational agency or institution from requiring a student to wear, 
display, or disclose a student ID card or badge that exhibits directory 
information;
     Amend Sec.  99.37(d) to clarify that educational agencies 
or institutions may develop policies that allow the disclosure of 
directory information only to specific parties, for specific purposes, 
or both; and
     Add Sec.  99.60(a)(2) to authorize the Secretary to take 
appropriate actions to enforce FERPA against any entity that receives 
funds under any program administered by the Secretary, including funds 
provided by grant, cooperative agreement, contract, subgrant, or 
subcontract.

Changes From the NPRM

    These final regulations contain the following substantive changes 
from the NPRM:
     In Sec.  99.3, we have defined the term ``early education 
program'' as that term is used in the definition of education program. 
The definition is based on the definition of ``early childhood 
education program'' in section 103(8) of the Higher Education Act of 
1965, as amended (HEA) (20 U.S.C. 1003(8));
     We have made changes to the definition of ``education 
program'' in Sec.  99.3 to clarify that any program administered by an 
educational agency or institution is considered an education program; 
and
     We have modified the written agreement requirement in 
Sec.  99.35(a)(3) to require that the agreement specify how the work 
falls within the exception of Sec.  99.31(a)(3), including a 
description of the PII from education records that will be disclosed, 
and how the PII from education records will be used.
    We have also made the following minor or non-substantive changes 
from the NPRM:
     We have made minor editorial changes to the definition of 
``authorized representative'' in Sec.  99.3 to ensure greater 
consistency between the language in that definition and the language in 
Sec.  99.35(a)(1);
     We have removed language from Sec. Sec.  
99.31(a)(6)(iii)(C)(4) and 99.35(a)(3)(iii) and (a)(3)(iv) that 
permitted an organization conducting a study or an authorized 
representative to return PII from education records to the FERPA-
permitted entity from which the PII originated, in lieu of destroying 
such information. We made these changes to more closely align the 
regulatory language with the statute and to ensure that the PII from 
education records is destroyed as required by the statute;
     We have made changes to Sec.  99.35(a)(2) to clarify that 
the FERPA-permitted entity from which the PII originated is responsible 
for using reasonable methods to ensure to the greatest extent 
practicable that any entity or individual designated as its authorized 
representative complies with FERPA requirements;
     We have made editorial changes to Sec.  99.35(a)(2) so the 
language in that section is more consistent with the language in Sec.  
99.35(a)(1) regarding the requirements for an audit, evaluation, or 
enforcement or compliance activity;
     We have clarified in Sec.  99.35(a)(3)(v) that the 
required written agreement must establish policies and procedures to 
protect PII from education records from further disclosure, including 
by limiting use of PII to only authorized representatives with 
legitimate interests in the audit, evaluation, or enforcement or 
compliance activity;
     We have revised Sec.  99.35(b)(1) to refer to a State or 
local educational authority or agency headed by an official listed in 
Sec.  99.31(a)(3) rather than ``authority'' or ``agency'', to ensure 
consistency with the language used in Sec.  99.35(a)(2) and (a)(3);
     We have consolidated all regulatory provisions related to 
prohibiting an educational agency or institution from disclosing PII 
from education records to a third party outside of an educational 
agency or institution for at least five years (five-year rule) and 
moved them to subpart E of part 99 (What are the

[[Page 75606]]

Enforcement Procedures?). Specifically, we--
    [cir] Included in Sec.  99.67(c) language from current Sec.  
99.31(a)(6)(iv) concerning the application of the five-year rule when 
the Department determines that a third party outside the educational 
agency or institution fails to destroy PII from education records after 
the information is no longer needed for the study for which it was 
disclosed;
    [cir] Clarified in Sec.  99.67(d) that, in the context of the audit 
or evaluation exception, the five-year rule applies to any FERPA-
permitted entity or its authorized representative if the Department 
determines that either party improperly redisclosed PII from education 
records; and
    [cir] Moved to Sec.  99.67(e) the language from current Sec.  
99.33(e) concerning the application of the five-year rule when the 
Department determines that a third party outside the educational agency 
or institution improperly rediscloses PII from education records in 
violation of Sec.  99.33 or fails to provide the notification required 
under Sec.  99.33(b)(2);
     Throughout subpart E of part 99 (Sec. Sec.  99.60 through 
99.67), we have revised the language regarding enforcement procedures 
to clarify that the Secretary may investigate, process, and review 
complaints and violations of FERPA against an educational agency or 
institution or against any other recipient of Department funds under a 
program administered by the Secretary. This marks a change from the 
current provisions, which refer only to the Department's enforcement 
procedures against ``educational agencies and institutions,'' which are 
defined in Sec.  99.3 as any public or private agency or institution to 
which part 99 applies under Sec.  99.1(a). Section 99.1 describes FERPA 
as applying to an educational agency or institution to which funds have 
been made available under any program administered by the Secretary if 
(1) The educational institution provides educational services or 
instruction, or both, to students; or (2) the educational agency is 
authorized to direct and control public elementary or secondary, or 
postsecondary educational institutions; and
     Throughout subpart E of part 99 (Sec. Sec.  99.60 through 
99.67), we have clarified the procedures that the Office will follow to 
investigate, review, process, and enforce the five-year rule against 
third parties outside of the educational agency or institution.

Analysis of Comments and Changes

    We received a total of 274 comments on the proposed regulations. 
The comments represented a broad spectrum of viewpoints from a number 
of different interested parties, including students, parents, privacy 
advocacy organizations, researchers, numerous associations, and 
representatives from schools, local educational agencies (LEAs) (also 
referred to as ``districts''), and State educational agencies (SEAs).
    We have carefully considered these comments and, as a result of 
this public input, have made several changes to the final regulations 
since publication of the NPRM. An analysis of the comments and changes 
follows. We group major issues according to subject, with applicable 
sections of the regulations referenced in parentheses. Generally, we do 
not address technical and other minor changes that we made, or respond 
to suggested changes that the law does not authorize the Secretary to 
make, or to comments that were outside the scope of the NPRM.

General Comments

Definitions

    Comment: Several commenters stated that the terms used in the 
proposed regulations to refer to the different types of entities 
affected by the regulations were unclear and asked for the Department 
to clarify their meaning. Specifically, they asked if there is a 
difference between an educational agency or institution, on the one 
hand, and a State or local educational authority, on the other. Some 
commenters requested that we clarify whether a State agency, other than 
an SEA, such as a State department of social services, could be 
considered a State educational authority under the regulations. Another 
commenter asked that we also define the term ``school official'' to 
differentiate it from the term ``authorized representative.''
    Discussion: There are differences in meaning between the terms 
``educational agency,'' ``educational institution,'' and ``State and 
local educational authority,'' and we provide the following explanation 
to clarify how these terms are used in the context of FERPA and its 
implementing regulations.
    In general, FERPA applies to an ``educational agency or 
institution'' that receives funds under a program administered by the 
Secretary. 20 U.S.C. 1232g(a)(3). In Sec.  99.3, we define the term 
``educational agency or institution'' as any public or private agency 
or institution to which part 99 applies under Sec.  99.1(a).
    Educational institution. We use the term ``educational 
institution'' to refer to any elementary or secondary school, including 
any school funded or operated by the U.S. Department of the Interior's 
Bureau of Indian Education (BIE),\1\ or to any postsecondary 
institution that receives funds under a program administered by the 
Secretary and that provides educational services or instruction, or 
both, to students (see Sec.  99.1(a)(1)). Additionally, Sec.  99.3 of 
the FERPA regulations defines ``institution of postsecondary 
education'' as an institution that provides education to students 
beyond the secondary school level. We generally use the term 
``institution of postsecondary education'' to refer to colleges and 
universities and, in this document, use it interchangeably with the 
terms ``postsecondary institution'' and ``institution of higher 
education''.
---------------------------------------------------------------------------

    \1\ Under section 9204(a) of the Elementary and Secondary 
Education Act of 1965, as amended (ESEA), the Secretary of Education 
and the Secretary of the Interior are required to reach an agreement 
regarding how the BIE will comply with ESEA requirements. Under a 
2005 Final Agreement between the Department of Education and the 
Department of the Interior, the two Departments agreed, as a general 
matter, that the Department of Education would treat BIE as an SEA 
and each BIE school as an LEA, for purposes of complying with the 
requirements of ESEA.
---------------------------------------------------------------------------

    Educational agency. Under Sec.  99.1(a)(2), an ``educational 
agency'' is an entity that is authorized to direct and control public 
elementary or secondary schools or postsecondary institutions. Thus, we 
consider LEAs (a term that we use interchangeably with school 
districts) to be ``educational agencies'' in the context of FERPA. 
However, we do not generally view SEAs as being ``educational 
agencies'' under Sec.  99.1(a)(2) because we interpret the statutory 
definition of the term ``student'' to mean that an educational agency 
is an agency attended by students. Under paragraph (a)(6) of FERPA, a 
``student includes any person with respect to whom an educational 
agency or institution maintains education records or personally 
identifiable information, but does not include a person who has not 
been in attendance at such agency or institution.'' 20 U.S.C. 
1232g(a)(6). For example, we have generally considered students to be 
in attendance at the Fairfax County Public Schools school district, but 
not at the Virginia Department of Education. Therefore, under this 
framework, the term ``educational agencies or institutions'' generally 
refers to LEAs, elementary and secondary schools, schools operated by 
BIE, and postsecondary institutions.
    State and local educational authorities. The term ``State and local 
educational authority'' is not defined in FERPA. The term ``State and 
local

[[Page 75607]]

educational authority'' is important in the context of FERPA's audit or 
evaluation exception in Sec. Sec.  99.31(a)(3) and 99.35 because State 
and local educational authorities are permitted to access, without 
consent, PII from education records. We generally have interpreted the 
term ``State and local educational authority'' to refer to an SEA, a 
State postsecondary commission, BIE, or any other entity that is 
responsible for and authorized under local, State, or Federal law to 
supervise, plan, coordinate, advise, audit, or evaluate elementary, 
secondary, or postsecondary Federal- or State-supported education 
programs and services in the State. (See http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/wku071105.html for more information.) While we 
have not generally viewed an SEA as being an educational agency under 
Sec.  99.1(a)(2) for the reasons outlined in the preceding paragraph, 
it is important to note that we do view an SEA as a State educational 
authority for FERPA purposes.
    An LEA can be both an educational agency and a local educational 
authority under FERPA because an LEA is authorized to direct and 
control public elementary and secondary schools and to supervise 
Federal- or State-supported education programs and services in the 
State. Because an LEA is considered to be an educational authority, the 
LEA may conduct an audit or evaluation of a Federal- or State-supported 
education program under the audit or evaluation exception. For example, 
an LEA may wish to evaluate the effectiveness of a particular program 
in the school district.
    Some commenters asked whether a State agency other than an SEA, 
such as a State social services agency, could be considered an 
``educational agency or institution'' or a ``State or local educational 
authority.'' We believe that State agencies other than an SEA could, 
depending on the individual circumstances, be considered to be an 
``educational agency or institution'' or a State educational authority 
under FERPA. The Department generally considers a State postsecondary 
commission to be a State educational authority because such commissions 
are typically responsible for and authorized under State law to 
supervise, plan, coordinate, advise, audit, or evaluate Federal- or 
State-supported postsecondary education programs and services in the 
State. Likewise, a State-administered school that receives funds under 
a program administered by the Secretary, such as a school serving 
hearing-impaired students, is considered an educational institution 
under FERPA because it provides educational services or instruction to 
students. In general, the Department does not consider a State social 
services agency to be an ``educational agency or institution'' under 
FERPA because, although such an agency may provide educational services 
or instruction to students, it is not authorized to direct and control 
public elementary or secondary or postsecondary educational 
institutions, and it does not have students in attendance. In addition, 
the Department does not consider a State social services agency to be a 
State educational authority because such an agency generally is not 
responsible for and authorized under State law to supervise, plan, 
coordinate, advise, audit, or evaluate federally or State-supported 
elementary, secondary, or postsecondary education programs and services 
in the State. However, because States vary widely in how they 
administer programs, the Department would make this determination on a 
case-by-case basis and evaluate the particular responsibilities of that 
agency before giving definitive guidance on whether a particular agency 
would be considered an educational agency or institution or a State or 
local educational authority under FERPA.
    With regard to the request that we define the term ``school 
official'' to avoid confusion with the term ``authorized 
representative,'' we note that current Sec.  99.31(a)(1) in the FERPA 
regulations already describes ``school official.'' This section makes 
clear that school officials are teachers and administrators who work 
within a school, school district, or postsecondary institution. The 
regulations also state in Sec.  99.31(a)(1) that contractors, 
consultants, volunteers, or other parties to whom an educational agency 
or institution has outsourced institutional services or functions under 
the conditions listed in Sec.  99.31(a)(1)(i)(B)(1) through 
(a)(1)(i)(B)(3) may be considered school officials with legitimate 
educational interests in students' education records. We believe that 
this language in Sec.  99.31(a)(1) and the definition of ``authorized 
representative'' are sufficiently clear to ensure that there is no 
confusion between these different categories of individuals.
    Changes: None.
    Comment: Several commenters asked the Department to include 
definitions for, and examples of, the following terms: ``evaluation,'' 
``audit,'' ``research,'' ``legitimate educational interest,'' 
``compliance activities,'' and ``enforcement activities.''
    Discussion: The terms identified by the commenters are not defined 
in FERPA, and the Department did not propose to define them in the NPRM 
because we did not wish to define them in ways that would unnecessarily 
restrict the educational community. Moreover, we do not believe it 
would be appropriate to define these terms in these final regulations 
because the public would not have had an opportunity to comment on 
them.
    Changes: None.

Fair Information Practice Principles

    Comment: Some commenters stated that the proposed amendments to 
part 99 in the NPRM represented a ``wholesale repudiation of the fair 
information practices.'' Others contended that the proposed regulatory 
changes go too far; that the changes would permit the disclosure of 
confidential student records to organizations that have little 
involvement in education, and the data will be used for purposes 
unrelated to education. Others expressed concern that the regulatory 
changes would result in student records being used for a wide range of 
activities under the pretext that some educational result would be 
derived from those activities. Others commented that obtaining parental 
consent to permit the disclosure of PII from education records should 
be the preferred approach.
    Discussion: The Fair Information Practice Principles (FIPPs) are 
the foundation for information privacy in the United States. These 
principles are sometimes referred to just as FIPs (Fair Information 
Practices) and various versions of these principles exist with 
different numbering schemes. These principles include: That there be no 
secret recordkeeping systems; that individuals should have a way to 
find out information about themselves in a record and how it is used; 
that individuals be allowed to prevent information obtained for one 
purpose from being used for another; that individuals be allowed to 
correct records about themselves; and that the organization that 
created the record assure its reliability and take steps to prevent 
misuse. FIPPs form the basis of most State and Federal privacy laws in 
the United States, including FERPA. Like most privacy laws, however, 
the FIPPs must be adapted to fit the educational context of data 
disclosure. For example, one of the FIPPs principles is that 
individuals should have the right to prevent information for one 
purpose from being used for another. FERPA expressly permits the 
redisclosure, without consent, of PII from education

[[Page 75608]]

records for a reason other than the reason for which the PII was 
originally collected, if the redisclosure is made on behalf of the 
educational agency or institution that provided the PII and the 
redisclosure meets the requirements of sec. 99.31.
    The Department is not repudiating FIPPs, but rather is making only 
narrow changes to its regulations that it has determined are necessary 
to allow for the disclosure of PII from education records to improve 
Federal- and State-supported education programs while still preserving 
student privacy. The Department remains committed to FIPPs and believes 
that the final regulations appropriately embody core FIPPs tenets. In 
fact, FIPPs underlay the Department's recent privacy initiatives, 
including creating a Chief Privacy Officer position,\2\ creating the 
Privacy Technical Assistance Center (PTAC),\3\ and issuing a series of 
technical briefs on privacy, confidentiality, and data security.
---------------------------------------------------------------------------

    \2\ The Department established an executive level Chief Privacy 
Officer (CPO) position in early 2011. The CPO oversees a new 
division dedicated to advancing the responsible stewardship, 
collection, use, maintenance, and disclosure of information at the 
national level and for States, LEAS, postsecondary institutions, and 
other education stakeholders.
    \3\ PTAC was established to serve as a one[hyphen]stop resource 
for SEAs, LEAs, the postsecondary community, and other parties 
engaged in building and using education data systems. PTAC's role is 
to provide timely and accurate information and guidance about data 
privacy, confidentiality, and security issues and practices in 
education; disseminate this information to the field and the public; 
and provide technical assistance to key stakeholders. PTAC will 
share lessons learned; provide technical assistance in both group 
settings and in one[hyphen]on[hyphen]one meetings with States; and 
create training materials on privacy, confidentiality, and security 
issues.
---------------------------------------------------------------------------

    We agree that it is preferable to obtain consent before disclosing 
PII from education records, and nothing in these final regulations is 
intended to change the statutory framework for consent. Nonetheless, 
Congress explicitly provided in FERPA that for certain purposes, PII 
from education records may be disclosed without consent. 20 U.S.C. 
1232g(b).
    We recognize that some may fear that these final regulations will 
permit the disclosure of PII from education records to improper 
parties, or for improper purposes, but we firmly believe such fears 
lack foundation. To be clear, these final regulations do not permit PII 
from education records to be disclosed for purposes unrelated to 
education. For example, the statute limits disclosures to those 
organizations that conduct studies for the purposes of ``developing, 
validating, or administering predictive tests, administering student 
aid programs, and improving instruction.'' We believe that the best 
method to prevent misuse of education records is not to bar all 
legitimate uses of education data, but rather to provide guidance and 
technical assistance on how legitimate uses can be implemented while 
properly protecting PII from education records in accordance with 
FERPA.
    Changes: None.
    Comments: Several commenters expressed concern or confusion about 
how the FERPA recordation, review, and correction provisions would work 
at the various school, LEA, or State levels.
    Several commenters raised concerns about ``up-stream data sharing'' 
as it relates to the validity of the information maintained in SLDS. 
They expressed general concern that changes made to education records 
at the local level would not be reflected in the SLDS, so that 
authorized representatives of an SEA would be looking at out-of-date 
information. Some commenters suggested that when schools amend 
education records, they should be required to forward these amendments 
or corrections to their LEA or SEA.
    A few commenters recommended that we require schools to notify 
parents and eligible students when PII from education records is 
disclosed to an outside entity. One commenter suggested that parents 
and students not only be notified, but that they also be given an 
opportunity to opt out of the disclosure. Several commenters expressed 
support for the notion that parents and students should be able to 
inspect and review education records held by authorized 
representatives.
    One commenter asked why the Department did not propose to use its 
``putative enforcement authority'' to create the right for parents and 
eligible students to inspect and seek to correct education records in 
the hands of authorized representatives.
    Discussion: We appreciate the concern that records at State and 
local educational authorities be up-to-date to reflect changes made at 
the school level. We decline, however, to require schools to forward 
every change to ``up-stream'' educational entities, as this would be 
overly burdensome. Schools correct and update student education records 
on a daily basis and requiring daily ``up-stream'' updates is not 
feasible. Rather, we urge LEAs and SEAs to arrange for periodic 
updates. We believe that such an arrangement will help ensure the 
validity and accuracy of PII from education records disclosed to LEAs 
and SEAs and ultimately held in an SLDS.
    We decline to adopt the suggestion that schools be required to 
notify parents and eligible students when PII from education records is 
redisclosed to an outside entity, and to provide parents and eligible 
students with an opportunity to opt out of the disclosure. FERPA 
expressly provides for disclosure without consent in these 
circumstances, a reflection of the importance of those limited 
disclosures.
    Under Sec.  99.7(a), educational agencies and institutions are 
required to annually notify parents and eligible students of their 
rights under FERPA. While FERPA does not require that this notice 
inform parents or eligible students of individual data sharing 
arrangements, we believe that transparency is a best practice. For this 
reason, we have amended our model notifications of rights under FERPA 
to include an explanation of the various exceptions to FERPA's general 
consent disclosure rule. This change to the model notifications should 
help parents and eligible students understand under what circumstances, 
such as the evaluation of a Federal- or State-supported education 
program, PII from education records may be disclosed to third parties 
without prior written consent. The Model Notification of Rights under 
FERPA for Elementary and Secondary Schools is included as Appendix B to 
this notice and the Model Notification of Rights under FERPA for 
Postsecondary Institutions is included as Appendix C to this notice; 
these model notifications are also available on the FPCO Web site at: 
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html and 
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html.
    With respect to the suggestion that we revise the regulations so 
that parents and eligible students can inspect and review and seek to 
amend education records held by authorized representatives, we note 
that FERPA provides a right for parents and eligible students to 
inspect and review their education records held by SEAs, LEAs, and 
schools. 20 U.S.C. 1232g(a)(1)(A) and (a)(1)(B). The statute does not 
provide any right to inspect and review education records held by 
authorized representatives of FERPA-permitted entities or other third 
parties (other than SEAs). Further, FERPA also provides a right for 
parents and eligible students to seek to amend their education records 
held by LEAs and schools, but not SEAs. 20 U.S.C. 1232g(a)(2). Again, 
however, the statute does not provide any right to seek to amend 
education records held by authorized representatives of FERPA-permitted 
entities or other third parties. For this

[[Page 75609]]

reason, we do not have the authority to expand these statutory 
provisions to apply to authorized representatives of FERPA-permitted 
entities or other third parties (other than the right to inspect and 
review education records maintained by SEAs).
    Parents and eligible students seeking to inspect and review a 
student's education records held by an authorized representative or a 
third party other than the SEA may contact the disclosing school or 
LEA. The school or LEA would then be required to allow them to inspect 
and review and seek to amend the education records that they maintain. 
Additionally, while FERPA does not accord a right to a parent or an 
eligible student to inspect and review and seek to amend education 
records held by authorized representatives, FERPA-permitted entities 
are free to include inspection or amendment requirements in the written 
agreements they enter into with their authorized representatives, 
assuming it is permissible under applicable State and local law to do 
so.
    FERPA does not require parental or student notification of 
individual data sharing arrangements that may utilize PII from 
education records. However, Sec.  99.32(a) does require recordation, 
except as provided in Sec.  99.32(d), of disclosures whenever an 
educational agency or institution or FERPA-permitted entity discloses 
PII from education records under one of the exceptions to the consent 
requirement. Thus, the recordation provisions in Sec.  99.32(a)(3) 
require educational agencies and institutions to record the parties to 
whom they have disclosed PII from education records and the legitimate 
interests the parties had in obtaining the information. This 
recordation must also identify the FERPA-permitted entities that may 
make further disclosures of PII from education records without consent 
(see Sec.  99.32(a)(1)). When requested, FERPA-permitted entities must 
provide pursuant to Sec.  99.32(b)(2)(iii) a copy of their record of 
further disclosures to the requesting educational agency or institution 
where the PII from education records originated within a reasonable 
period of time, not to exceed 30 days. For example, a school may 
request a record of all further disclosures made by its SEA of PII from 
education records from that school. The SEA would be required to comply 
with this request within 30 days.
    Changes: None.

Legal Authority

    Comment: Numerous commenters questioned the Department's legal 
authority to issue the proposed regulations, stating the proposals 
exceed the Department's statutory authority. Enacting the proposed 
changes, many of these commenters argued, would require legislative 
amendments to FERPA that could not be achieved through the rulemaking 
process.
    Several commenters also stated that the America COMPETES Act and 
ARRA do not confer legal authority upon the Department to propose 
regulations that would allow the disclosure of PII from education 
records in the manner envisioned in the NPRM. While acknowledging that 
the America COMPETES Act generally supports the establishment and 
expansion of SLDS, several commenters noted that the America COMPETES 
Act requires States to develop and utilize their SLDS only in ways that 
comply with the existing FERPA regulations. One commenter stated that 
ARRA was merely an appropriations law and did not suggest any shift in 
Congressional intent regarding FERPA's privacy protections, information 
sharing, or the disclosure of student education records, generally.
    Discussion: We disagree with commenters who stated that they 
believe the Department lacks the statutory authority to promulgate the 
proposed regulations contained in the NPRM. As a general matter, the 
Department has broad statutory authority to promulgate regulations to 
implement programs established by statute and administered by the 
Department. Under section 414 of the Department of Education 
Organization Act, 20 U.S.C. 3474, ``[t]he Secretary is authorized to 
prescribe such rules and regulations as the Secretary determines 
necessary or appropriate to administer and manage the functions of the 
Secretary or the Department.'' Similarly, section 410 of GEPA, 20 
U.S.C. 1221e-3, provides that the Secretary may ``make, promulgate, 
issue, rescind, and amend rules and regulations governing the manner of 
operation of, and governing the applicable programs administered by, 
the Department.''
    Neither section 444 of GEPA, which is more commonly known as FERPA, 
nor any other statute, limits the Department's authority to promulgate 
regulations to protect the privacy of PII from education records or to 
interpret its regulations on FERPA consistently with other Federal 
statutes. The proposed regulations in the NPRM fall clearly within the 
commonplace use of the Department's regulatory authority. Adopting 
these provisions is necessary to ensure that the Department's 
implementation of FERPA continues to protect the privacy of PII from 
education records, while allowing for PII from education records to be 
effectively used, particularly in SLDS.
    Moreover, we disagree with the contention that the America COMPETES 
Act and ARRA do not provide evidence of Congressional intent to expand 
and develop SLDS to include early childhood education, postsecondary, 
and workforce information. We believe the America COMPETES Act and ARRA 
should be read consistently with FERPA, where permissible. It is a 
well-established canon of statutory construction that a statute must 
not be interpreted so that it is inconsistent with other statutes where 
an ambiguity exists. Where two statutes appear to be inconsistent with 
one another, it is appropriate to provide an interpretation that 
reconciles them while still preserving their original sense and 
purpose. See, e.g., Lewis v. Lewis & Clark Marine, Inc., 531 U.S. 438 
(2001); Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1017-18 (1984).
    In this case, the Department is interpreting its regulations in a 
manner that is consistent with FERPA, the America COMPETES Act, and 
ARRA. Under section 6401(e)(2)(D) of the America COMPETES Act, Congress 
clearly set forth its desire that States develop SLDS that cover 
students from preschool through postsecondary education by including 
information such as ``the capacity to communicate with higher education 
data systems,'' ``information regarding the extent to which students 
transition successfully from secondary school to postsecondary 
education, including whether students enroll in remedial coursework,'' 
and ``other information determined necessary to address alignment and 
adequate preparation for success in postsecondary education.''
    ARRA provides clear evidence of Congressional intent to support the 
expansion of SLDS, and is not merely an appropriations law, as 
suggested by one commenter. Section 14001(d) of ARRA specified that the 
Governor of a State desiring to receive an allocation under the State 
Fiscal Stabilization Fund was required to include assurances in its 
application that, among other things, the State will establish a 
longitudinal data system that includes the elements described in 
section 6401(e)(2)(D) of the America COMPETES Act. All States received 
grants under the State Fiscal Stabilization Fund. Thus, all States are 
required to include these 12 elements in their SLDS. Through ARRA, 
Congress also provided $250 million for additional State grants to 
support the expansion of SLDS to include postsecondary and workforce

[[Page 75610]]

information, providing further evidence of Congress' intention that 
States include these elements in their SLDS.
    Interpretations of our current FERPA regulations created obstacles 
for States in their efforts to comply with ARRA's requirement that SLDS 
include the 12 elements specified in the America COMPETES Act, and 
thereby allow for the sharing of education data from preschool to 
higher education. The changes that the Department is adopting through 
these regulations should eliminate barriers that may have prevented 
States from complying with the ARRA assurances while still ensuring 
that PII in education records is protected under FERPA. For example, 
under these final regulations, a local or State educational authority 
may designate a postsecondary institution as its ``authorized 
representative,'' in connection with the evaluation of Federal- or 
State-supported education programs. As such, the K-12 local or State 
educational authority may disclose PII from education records to the 
postsecondary institution without consent for purposes of evaluating 
either the K-12 or postsecondary Federal- or State-supported education 
programs.
    If the Department were to make no regulatory changes, as requested 
by several commenters, then Congress' stated intentions behind the 
America COMPETES Act and ARRA regarding the development and expansion 
of SLDS would be significantly impeded. Instead, considering the extent 
of data sharing contemplated by these statutes, the Department is 
amending several regulatory provisions that have unnecessarily hindered 
the development and expansion of SLDS as envisioned by the America 
COMPETES Act and required under ARRA, while still remaining consistent 
with FERPA's underlying purpose of protecting student privacy.
    Changes: None.

FERPA Does Not Provide Authority for Data Collection

    Comment: Several commenters expressed concern about the types of 
student PII described in the NPRM and what they perceived as the 
Department's intent to collect information on individual students. The 
Department received similar comments from multiple parties who inferred 
from the NPRM that the Department sought to collect information on 
students such as ``hair color, blood type or health care history.'' 
These commenters appeared to believe that the Department would collect 
this data and provide it to other Federal agencies, such as Labor and 
Health and Human Services, to ``facilitate social engineering such as 
development of the type of `workforce' deemed necessary by the 
government.''
    Discussion: The Department agrees that it should not collect such 
information or guide students ``toward predetermined workforce 
outcomes,'' as the commenters stated. Moreover, the Department did not 
propose in the NPRM to permit the collection of this information or to 
conduct the activities described by these commenters.
    Commenters mistakenly inferred that the proposed changes to the 
regulations would expand the types of data collections that the 
Department may require as conditions of receiving Federal funds. FERPA 
itself does not establish the authority for any type of data collection 
at any level, whether Federal, State, or local. Likewise, FERPA does 
not authorize the establishment of SLDS. Congress granted the 
Department the authority to provide grants to States for the 
development of SLDS under section 208 of the Educational Technical 
Assistance Act of 2002, 20 U.S.C. 9607. States have invested in SLDS to 
enhance their ability to efficiently and accurately manage, analyze, 
and use education data, which includes PII from education records that 
are protected under FERPA. SLDS for K-12 education often include data 
related to Federal- and State-funded education programs, such as data 
related to assessments, grades, course enrollment and completion, 
attendance, discipline, special education status, homeless status, 
migrant status, graduation or dropout status, demographics, and unique 
student identifiers. Schools and LEAs are the primary collectors of 
these data. LEAs report these individual student-level data to the SEA 
to meet various requirements, and the data is warehoused in the SLDS.
    For Federal K-12 reporting, SEAs report aggregated counts at the 
State, local, and school levels for various indicators that are 
required for participation in Federal education programs, such as the 
number of students participating in and served by Title I. Similarly, 
postsecondary institutions are required to complete Integrated 
Postsecondary Education Data Systems (IPEDS) surveys if they 
participate in or are applicants for participation in any Federal 
student financial aid program (such as Pell grants and Federal student 
loans). While schools, LEAs, SEAs, and postsecondary institutions 
maintain student-level data, what is reported to the Department in 
IPEDS and in Federal K-12 reporting is aggregated, at a minimum, at the 
institutional level. The Department does not collect PII from education 
records outside of its duties that require it, such as administering 
student loans and grants, conducting surveys, and investigating 
individual complaints.
    The Department offers this clarification to address the public 
comments that mistakenly interpreted the Department's proposed 
regulations as a mechanism to collect sensitive personal data on 
individual students at the Federal level, including data elements that 
are not related to education, to be used for non-educational purposes. 
As discussed later in this preamble, the Department is not legally 
authorized to create a national, student-level database, and the 
Department has no desire or intention to create a student record data 
system at the national level. Thus, the SLDS mentioned in these final 
regulations refers to individual States' longitudinal data systems, not 
a Federal database.
    Commenters interested in understanding more about the data 
collections required by the Department should visit the Department's 
Web site at http://edicsweb.ed.gov and select the ``Browse Active 
Collections'' link.
    Changes: None.
    Comment: Several commenters expressed concern that the Department's 
proposal would create a national database of student PII. One commenter 
expressed strong opposition to the establishment of a national database 
because of concern that such a database could be used for non-
educational purposes. Another commenter recommended that the Department 
publicly affirm that it does not support the establishment of a 
national database.
    Several commenters indicated that the proposed changes reflected in 
the NPRM would permit data sharing and linking of SLDS across State 
lines, allowing for the creation of a ``de facto'' national database of 
student PII. These commenters expressed concern that interconnected 
SLDS would invite substantial threats to student privacy. Another 
commenter noted that the prohibition regarding the establishment of a 
national database in the ESEA, demonstrated Congress' intent to 
prohibit Federal funding of an interconnected SLDS.
    Discussion: The Department is not establishing a national database 
of PII from education records and we have no intention to do so. 
Moreover, neither ESEA nor HEA provides the Department with the 
authority to establish a Federal database of PII from education 
records. Specifically, ``[n]othing in [ESEA] * * * shall be construed 
to authorize the development of a nationwide database''

[[Page 75611]]

of PII from education records. 20 U.S.C. 7911. Likewise, ``nothing in 
[HEA] shall be construed to authorize the development, implementation, 
or maintenance of a Federal database'' of PII from education records. 
20 U.S.C. 1015c(a).
    On the other hand, we do not agree with the suggestion that 
Congress intended to prohibit States from developing their own SLDS or 
linking SLDS across State lines. The right to develop SLDS or link SLDS 
across State lines is reserved to the States. Both ESEA and HEA permit 
States or a consortium of States to develop their own State-developed 
databases. In fact, HEA specifically states that it does not prohibit 
``a State or a consortium of States from developing, implementing, or 
maintaining State-developed databases that track individuals over time, 
including student unit record systems that contain information related 
to enrollment, attendance, graduation and retention rates, student 
financial assistance, and graduate employment outcomes.'' 20 U.S.C. 
1015c(c).
    The Department does not agree with those commenters who expressed 
concerns that the linking of SLDS across State lines would allow for 
the creation of a ``de facto'' national database of student PII. First, 
as discussed earlier, States are not prohibited from establishing their 
own SLDS or linking SLDS across State lines provided that they do so in 
compliance with all applicable laws, including FERPA. Second, if a 
consortium of States chose to link their individual SLDS across State 
lines, such a system of interconnected SLDS would not be ``national'' 
because the Federal Government would not play a role in its operation. 
Rather, responsibility for operating such a system would lie entirely 
with the consortium of States.
    Further, Congress made clear in the America COMPETES Act and ARRA 
that it supports the development and expansion of SLDS. For example, 
title VIII of ARRA appropriated $250,000,000 to the Institute of 
Education Sciences to carry out section 208 of the Educational 
Technical Assistance Act to provide competitive grants to State for the 
development of their SLDS that include early childhood through 
postsecondary and workforce information. In addition, section 14005 of 
ARRA provides that in order to receive funds under the State Fiscal 
Stabilization Fund a State was required to provide an assurance that it 
will establish an SLDS that includes the elements described in section 
6401(e)(2)(D) of the America COMPETES Act (20 U.S.C. 9871). Consistent 
with congressional intent, these activities are only being carried out 
at the State level, not through the creation of a Federal database. 
These final regulations will help reduce barriers that have hindered 
States and consortia of States from developing, implementing, and 
maintaining their own SLDS.
    Changes: None.

Use of Social Security Numbers

    Comment: Several commenters requested clarification on whether 
Social Security numbers (SSNs) could be maintained in an SLDS or used 
as a linking variable. These commenters stated that they had been 
hindered in their efforts to build a robust SLDS by limitations on the 
exchange of SSNs. Other commenters suggested that the use of SSNs, 
names, and dates of birth be minimized, and that SLDS should instead 
create a common identifier that would allow the SEA and its authorized 
representative to match student records data without an unnecessary 
transfer of SSNs and other identifying information.
    Discussion: We understand that data contained within an SLDS cannot 
be used effectively without using unique linking variables. Without the 
use of linking variables, States would be unable to monitor the 
educational progress and experiences of individual students as they 
progress through the education system across grade levels, schools, 
institutions, and into the workforce.
    FERPA does not prohibit the use of a SSN as a personal identifier 
or as a linking variable. However, we agree with commenters that the 
use of SSNs should be minimized given that SSNs are often used by 
criminals for identity theft. The Federal Government itself attempts to 
minimize the use of SSNs. See, e.g., Office of Management and Budget 
(OMB) Directive M-07-16, ``Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information,'' and ``Guidance for 
Statewide Longitudinal Data Systems,'' (National Center for Education 
Statistics (NCES) 2011- 602). The importance of limiting SSN use is 
recognized in FERPA, as schools are prohibited from designating SSNs as 
directory information. Hence, while FERPA does not expressly prohibit 
States from using SSNs, best practices dictate that States should limit 
their use of SSNs to instances in which there is no other feasible 
alternative.
    Changes: None.

Disclosures Beyond State Lines

    Comment: Several commenters sought clarification on whether FERPA 
allowed PII from education records to be disclosed across State lines, 
noting that there is increased demand to disclose PII from education 
records to third parties in other States to make comparative 
evaluations of Federal- or State-supported education programs, or to 
connect data on students who may be educated in multiple States. For 
example, one commenter asked the Department to clarify whether FERPA 
would permit postsecondary institutions to disclose PII from education 
records, including outcome data back to high schools in another State.
    Several stakeholders have raised questions about whether the 
proposed regulations would permit the State educational authority in 
one State to designate a State educational authority in another State 
as its authorized representative to disclose PII from education records 
from one authority to the other.
    Another commenter recommended that the Department restrict the 
disclosure of PII from education records under the audit or evaluation 
exception to authorized representatives within a State, or 
alternatively limit out-of-State authorized representatives to only 
other State educational authorities. Another commenter also asked about 
a school's ability to disclose PII from education records to other 
countries.
    Discussion: FERPA makes no distinctions based on State or 
international lines. However, transfers of PII from education records 
across international boundaries, in particular, can raise legal 
concerns about the Department's ability to enforce FERPA requirements 
against parties in foreign countries. It is important to keep in mind 
that for a data disclosure to be made without prior written consent 
under FERPA, the disclosure must meet all of the requirements under the 
exceptions to FERPA's general consent requirement. For example, if the 
conditions under the audit or evaluation exception in FERPA are met, a 
State educational authority could designate an entity in a different 
State as an authorized representative for the purpose of conducting an 
audit or evaluation of the Federal- or State-supported education 
programs in either State. The disclosure of PII from education records 
is not restricted by geographic boundaries. However, disclosure of PII 
from education records for an audit or evaluation of a Federal- or 
State-supported education program is permitted only under the written 
agreement requirements in Sec.  99.35(a)(3) that apply to that 
exception. Under these requirements, the disclosing entity would need 
to take reasonable methods

[[Page 75612]]

to ensure to the greatest extent practicable that its authorized 
representative is in compliance with FERPA, as is explained further 
under the Reasonable Methods (Sec.  99.35(a)(2)) section in this 
preamble. More specifically, an LEA could designate a university in 
another State as an authorized representative in order to disclose, 
without consent, PII from education records on its former students to 
the university. The university then may disclose, without consent, 
transcript data on these former students to the LEA to permit the LEA 
to evaluate how effectively the LEA prepared its students for success 
in postsecondary education.
    Changes: None.

Cloud Computing

    Comment: Several commenters sought clarification on whether the 
proposed regulations would permit cloud computing, where data can be 
hosted in a different State or country. Commenters suggested that the 
final regulations not discriminate based on where data are hosted.
    Discussion: The Department has not yet issued any official guidance 
on cloud computing, as this is an emerging field. We note, however, 
that the Federal Government itself is moving towards a model for secure 
cloud computing. Regardless of whether cloud computing is contemplated, 
States should take care that their security plans adequately protect 
student data, including PII from education records, regardless of where 
the data are hosted.
    Changes: None.

Administrative Burden

    Comment: Several commenters predicted an increase in administrative 
time and resources needed to comply with the proposed regulations, with 
one predicting an ``exponential'' increase. Given the current state of 
State budget deficits, several commenters asked the Department to 
provide guidance for ways to decrease burden, such as offering 
``planning and streamlining administrative processes and tools,'' while 
still ensuring the protection of PII from education records.
    Discussion: The Department appreciates this suggestion and 
acknowledges the current reality of State budget deficits. The 
Department believes, however, that regulating the specifics of data 
sharing would drive up costs, not reduce them. The Department notes 
that the changes reflected in these regulations aim to reduce the 
barriers to data sharing while still protecting student privacy. FERPA 
regulations themselves also do not require any data sharing by 
educational agencies or institutions; these data sharing activities are 
voluntary, and may occur at the discretion of educational agencies or 
institutions. We recognize that some educational agencies and 
institutions may need technical assistance from the Department to help 
ensure that their data sharing activities comply with these 
regulations, and the Department will help meet this potential need for 
SEAs and LEAs.
    See the Potential Costs and Benefits, elsewhere in this preamble, 
for our estimation of costs associated with these regulations.
    Changes: None.

Audit or Evaluation Exception (Sec.  99.35)

General Discussion

    Comment: We received many comments supporting the proposed changes 
to the audit or evaluation exception. A comment co-signed by two dozen 
organizations supported the proposed regulations as the revised 
interpretations would permit more opportunities for data analysis by 
States, LEAs, schools, and research organizations.
    Other commenters generally expressed support for the proposed 
changes, asserting that they would increase the ability to evaluate and 
improve education programs.
    Supporters of the proposed regulations noted that, by reducing 
barriers to data sharing, more States would be able to connect their 
data systems to drive improvement in K-12 schools. Commenters noted 
several specific evaluations that would be possible with the proposed 
amendments to the audit or evaluation exception. For example, an 
evaluation of college freshmen, who all graduated from the same high 
school, may reveal the students needed postsecondary remediation in 
math. This information could help the high school improve its math 
program.
    Likewise, career and technical education (CTE) agencies would be 
able to improve program effectiveness by accessing more data with their 
collaborative partners in workforce development and other non-
educational agencies that prepare students for college and careers. 
Several commenters noted that these changes would allow State 
departments of education to assess their CTE programs and meet Federal 
accountability requirements in the Carl D. Perkins Vocational and 
Technical Education Act of 2006 (Pub. L. 109-270). Those that were 
supportive of these amendments stated that the written agreement 
requirements were reasonable and would help protect the confidentiality 
of the data.
    Discussion: The Department agrees with these commenters that these 
activities would be permissible under these final regulations.
    Changes: None.
    Comment: One commenter stated that the Department's proposed change 
to remove the requirement in Sec.  99.35(a)(2) that express authority 
is required under Federal, State, or local law to conduct an audit, 
evaluation, or enforcement or compliance activity would turn a narrow 
exception to consent into a ``magic incantation'' that would allow 
``unfettered access'' to PII from education records for purposes other 
than what Congress intended. Several commenters objected on the grounds 
that the proposed change would result in confusion, with educational 
institutions struggling to separate real claims of authority from 
frivolous or false ones. Finally, a few commenters contended that the 
Department lacks the legal authority to make this proposed change.
    Discussion: In 2008, we amended Sec.  99.35(a)(2) of the 
Department's FERPA regulations to specifically require that legal 
authority exist under Federal, State, or local law to conduct an audit, 
evaluation, or enforcement or compliance activity. While we imposed no 
requirement to identify legal authority for other exceptions, we 
explained that we added this requirement to the audit or evaluation 
exception because we viewed the educational community as being 
significantly confused about who may receive education records without 
consent for audit or evaluation purposes under Sec.  99.35. We 
explained that ``[i]t [was] not our intention in Sec.  99.35(a)(2) to 
require educational agencies or institutions and other parties to 
identify specific statutory authority before they disclose or 
redisclose PII from education records for audit or evaluation purposes 
but to ensure that some local, State or Federal authority exists for 
the audit or evaluation, including for example an Executive Order or an 
administrative regulation.'' 73 FR 74806, 74822 (December 9, 2008).
    In the NPRM, we proposed removing the language regarding legal 
authority in Sec.  99.35(a)(2) due to confusion caused by the 2008 
regulations. We explained in the preamble of the NPRM that the 
authority for a FERPA-permitted entity to conduct an audit, evaluation, 
or enforcement or compliance activity may be express or implied. The 
intent behind this proposed change was to make clear that Federal, 
State, and local

[[Page 75613]]

law determine whether a given audit or evaluation is permitted, not 
FERPA.
    Based on the comments, however, we are concerned that our 
explanation in the NPRM was not sufficiently clear. Certainly, if an 
educational agency or institution is concerned that a third party 
seeking access to PII from education records is not authorized under 
Federal, State, or local law to conduct an audit, evaluation, or 
enforcement or compliance activity, that educational agency or 
institution should seek guidance from its attorneys or from the State 
attorney general if the concern involves the interpretation of State 
law. If the concern involves the interpretation of Federal law, the 
educational agency or institution should seek guidance from its 
attorneys or from the Federal agency that administers the law in 
question. FERPA itself does not confer the authority to conduct an 
audit, evaluation, or enforcement or compliance activity.
    We disagree with the commenters' contention that the Department 
lacks legal authority to amend the 2008 regulations. Because the 
statute itself does not specifically require that legal authority is 
necessary under Federal, State, or local law before an audit, 
evaluation, or enforcement or compliance activity may be conducted--and 
is, in fact, entirely silent on this issue--we retain the authority, 
subject to rulemaking requirements, to remove the language we added in 
2008, effectively clarifying that the authority may be either express 
or implied. This deletion makes Sec.  99.35(a)(2) consistent with the 
rest of the regulations, which do not address legal authority beyond 
FERPA.
    Changes: None.
    Comment: One commenter stated that the Department lacked the 
authority to regulate how education records are shared with respect to 
programs that are funded by the U.S. Department of Health and Human 
Services (HHS). Specifically, this commenter stated the authority to 
regulate education records maintained by Early Head Start and Head 
Start programs (collectively, ``Head Start'') fell within the exclusive 
jurisdiction of HHS and could not be regulated by the Department of 
Education. This commenter relied upon a provision in the Head Start Act 
that states the:

    Secretary [of HHS], through regulation, shall ensure the 
confidentiality of any personally identifiable data, information, 
and records collected or maintained under this subchapter by the 
Secretary or any Head Start agency. Such regulations shall provide 
the policies, protections, and rights equivalent to those provided 
to a parent, student, or educational agency or institution under 
[FERPA].

42 U.S.C. 9836a(b)(4)(A). This commenter also suggested that the 
Department and HHS work together to minimize the financial burden of 
the proposed regulations on Head Start agencies.
    Discussion: We disagree with the commenter's contention that 
proposed Sec. Sec.  99.3 and 99.35 would supplant the authority of HHS 
as those provisions relate to Head Start; these proposed changes would 
not overreach into HHS' ``sphere of activity.'' First, we note that 
FERPA applies directly to LEAs that receive funding under a program 
administered by the Department, including the Head Start programs that 
they operate. Concurrent jurisdiction exists between the Department and 
HHS for these Head Start programs. The Department did not propose in 
the NPRM that FERPA requirements would apply to Head Start programs not 
under the concurrent jurisdiction of the Department and HHS.
    Further, under current regulations, SEAs and LEAs receiving funding 
under a program administered by the Department--and, therefore, falling 
under the Department's exclusive jurisdiction--are unable to disclose 
PII from educational records, such as the kindergarten grades of former 
Head Start students, to Head Start programs in order to evaluate the 
effectiveness of the Head Start programs. These final regulations 
permit State and local educational agencies and BIE funded and operated 
schools to disclose PII from education records to Head Start programs 
for an audit, evaluation, or enforcement or compliance activity. We 
believe this change aligns with Congress' stated intention in the 
America COMPETES Act and ARRA to link data across all sectors. 
Permitting access to student longitudinal data also builds upon the 
Department's and HHS' commitment to coordinate programs administered by 
State and local educational agencies and BIE funded and operated 
schools with early learning programs administered by non-educational 
agencies.
    Finally, the Department believes that any potential financial 
burden on Head Start agencies that may result from these regulations is 
outweighed by the elimination of unnecessary barriers to the evaluation 
of their programs and the increased flexibility in the operation of 
their programs. Nonetheless, the Department is committed to working 
with HHS to minimize the financial burden of these regulations should 
such an increase in burden actually occur.
    Changes: None.
    Comment: One commenter asked whether the proposed regulations would 
allow an entity that receives PII from education records under the 
audit or evaluation exception to redisclose the PII from education 
records over the original disclosing entity's objection.
    Discussion: In 2008, we amended the FERPA regulations to expressly 
permit FERPA-permitted entities to redisclose PII from education 
records received under the audit or evaluation exception in certain 
conditions. See Sec.  99.33(b)(1) and (b)(2). For example, this change 
permitted an SEA to redisclose PII ``on behalf of'' the LEA if the 
redisclosure is to another school where the student seeks or intends to 
enroll, under Sec. Sec.  99.31(a)(2) and 99.34 and the recordkeeping 
requirements in Sec.  99.32(b)(1) or (b)(2) are met.
    However, in 2008 we did not clarify that a redisclosure under the 
studies exception would be on behalf of an educational agency or 
institution if the SEA or other FERPA-permitted entity believed it 
would benefit the educational agency or institution.
    In the NPRM, we specifically proposed that FERPA-permitted entities 
that receive PII from education records under the audit or evaluation 
exception be able to redisclose the PII from education records under 
the studies exception if all requirements to that exception are met. 
For example, a FERPA-permitted entity would be permitted to redisclose 
PII from education records under the studies exception in Sec.  
99.31(a)(6) if: (1) The FERPA-permitted entity has the express or 
implied legal authority to have the study in question conducted, and 
(2) the educational agency or institution either agrees to the 
redisclosure, in which case the redisclosure would be ``for'' the 
educational agency or institution, or the study is designed to improve 
instruction, in which case the redisclosure would be ``on behalf of'' 
the educational agency or institution. Accordingly, a redisclosure may 
be ``for'' or ``on behalf of'' of the original disclosing entity even 
if that entity objects to the redisclosure. For instance, an SEA 
receiving PII from an LEA may redisclose PII ``on behalf of'' the LEA 
if the redisclosure is for a study designed to improve the LEA's 
instruction. In this example, it would be irrelevant if the LEA 
objected to the SEA's redisclosure. FERPA-permitted entities that make 
further disclosures of PII from education records under the studies 
exception also must comply with the conditions specified in Sec.  
99.31(a)(6) and ensure that the recordkeeping requirements in Sec.  
99.32(b)(1) or (b)(2) have been met.

[[Page 75614]]

    Changes: None.

Definition of ``Education Program'' (Sec. Sec.  99.3 and 99.35)

    Comment: Many commenters were supportive of the proposal to define 
the term ``education program.'' Many of these commenters commended the 
Department's proposal to adopt a broad definition of ``education 
program'' because doing so recognizes the fact that education begins 
prior to kindergarten and involves programs not administered by State 
or local educational agencies. While some commenters expressed concern 
that an overly broad definition of ``education program'' would result 
in extraneous programs being wrongly allowed access to student PII from 
education records, others expressed concern that an overly narrow 
definition would hinder legitimate data sharing needed to improve 
education programs. One commenter was concerned that the definition 
would omit programs many believe are necessary for students to succeed 
but may not be ``principally engaged in the provision of education.'' 
The commenter gave several examples including substance abuse, anti-
bullying, and suicide prevention programs.
    Numerous commenters provided other examples of specific programs 
and asked the Department to identify if those programs would be 
considered an education program under the proposed definition. 
Commenters specifically requested clarity about what types of early 
childhood programs would be considered education programs. A few 
commenters suggested that the Department utilize the HEA definition of 
``early childhood education program.''
    One commenter suggested that we change ``principally'' to 
``primarily'' in the definition of ``education program.'' Another 
recommended that the definition include ``transitions from secondary to 
postsecondary education.'' We also received the suggestion that we 
amend the definition of ``education program'' to specify that the 
program must be principally engaged in the provision of education to 
students in early childhood through postsecondary.
    One commenter requested further clarity regarding who determines 
whether a program meets the definition of ``education program'' and how 
to handle any potential disputes regarding that determination.
    Another commenter suggested that the Department was acting outside 
of its legal authority to expand the use of PII from education records 
to programs not administered by an educational agency or institution, 
and termed it an ``unreasonable interpretation.''
    Discussion: The Department has decided to make several changes to 
the definition as a result of the comments received. Whether a program 
is determined to be an education program should be based on the 
totality of the program, and not on whether the program contains a 
specific ``incidental educational or training activity within a broader 
non-education program,'' as suggested by one commenter. The number of 
commenters requesting clarity on which early childhood programs would 
be considered education programs under FERPA suggested a real need for 
the Department to define the term in the regulations to support 
faithful implementation of the FERPA amendments in the field. We agree 
with those commenters who suggested that the Department utilize the HEA 
definition of ``early childhood education program'' and are adopting 
this definition for several key reasons. By adopting a definition 
already established by Congress, we are confident that it will provide 
the requested clarity. This definition also provides greater 
consistency across Federal programs, resulting in more transparency and 
less burden.
    The final regulations provide that any program administered by an 
educational agency or institution is considered to be an education 
program. We have made this change to ensure that, in addition to 
programs dedicated to improving academic outcomes, this definition 
includes programs, such as bullying prevention, cyber-security 
education, and substance abuse and violence prevention, when 
administered by an educational agency or institution.
    It is the Department's intent that the following types of programs, 
regardless of where or by whom they are administered, fall under the 
new definition of ``education program'': The educational programs 
conducted by correctional and juvenile justice facilities or 
alternative long-term facilities such as hospitals, dropout prevention 
and recovery programs, afterschool programs dedicated to enhancing the 
academic achievement of its enrollees, schools for the hearing and 
visually impaired, college test tutoring services, and high school 
equivalency programs. The following are examples of the types of 
programs that will generally be excluded from the definition of 
``education program'': Programs that are principally engaged in 
recreation or entertainment (such as programs designed to teach 
hunting, boating safety, swimming, or exercise), programs administered 
by direct marketers, and neighborhood book clubs. These are not all-
inclusive lists; each program will need to be assessed to determine if 
it meets this regulatory definition of ``education program'' because it 
is principally engaged in the provision of education.
    The Department declines to change the word ``principally'' to 
``primarily'' in the definition of ``education program'' because we 
view these terms as being synonymous and interchangeable. The 
Department also declines to explicitly state that transitions from 
secondary to postsecondary education are included in the definition, 
because any transition program must meet the definition of ``education 
program,'' and it may be misleading to list some types of these 
programs and not others. The Department further declines to amend the 
definition of ``education program'' to require that the education 
program be principally engaged in the provision of education to 
``students'' in early childhood through postsecondary education. 
Explicitly adding ``students'' to the definition would potentially 
exclude certain programs that would otherwise fit under this definition 
and that the Department intends to include. For example, this change 
would be particularly problematic for early childhood education 
programs, such as Head Start and IDEA Part C, which refer to their 
participants as children and infants or toddlers, respectively, not 
students. Head Start and IDEA Part C are explicitly included in the 
definition of ``early childhood education program,'' and the Department 
refrains from adding language that would contradict this definition and 
create confusion for implementation.
    FERPA-permitted entities may disclose PII from education records 
without obtaining consent in order to conduct an audit, evaluation, or 
enforcement or compliance activity. FERPA permits these disclosures to 
occur without consent, but FERPA-permitted entities have the discretion 
to set their own policies and practices for implementing these 
disclosures, including any resolution processes that may be necessary 
to handle disputes regarding whether a program meets the definition of 
education program.
    Finally, we disagree with the commenters who suggested that the 
Department lacks the legal authority to define ``education program'' in 
a way that would allow authorized representatives to use PII from 
education records to evaluate programs not administered by an 
educational agency or institution. As discussed elsewhere in greater 
detail, the

[[Page 75615]]

Department has broad authority under GEPA to promulgate regulations 
that implement programs established by statute and administered by the 
Department, including FERPA. In this case, nothing in the statute 
itself or its legislative history limits the Department's authority to 
define ``education program,'' a previously undefined term.
    The new definition of ``education program'' helps to ensure that 
the FERPA regulations do not impede States' ability to comply with 
ARRA. As discussed in the NPRM, in order to ensure that the 
Department's regulations do not create obstacles to States' compliance 
with ARRA, the Department sought to find a solution that would give 
effect to both FERPA and this more recent legislation by defining the 
term ``education program'' to include programs that are not 
administered by an educational agency or institution.
    The Department's definition of the term ``education program'' is 
intended to facilitate the disclosure of PII from education records, as 
necessary, to evaluate a broad category of education programs.
    The Department's definition of ``education program'' is also 
intended to harmonize FERPA and ARRA so as to protect PII from 
education records, even where the Department may not have a direct 
funding relationship with the recipient of PII from education records. 
We believe that the definition of the term ``education program'' 
sufficiently recognizes those common elements among entities that need 
to evaluate education programs and services, regardless of whether the 
education programs are funded by the Department.
    Changes: In Sec.  99.3, we have added a definition of the term 
``early childhood education program.'' In addition, we have revised the 
definition of ``education program'' to include any program that is 
administered by an educational agency or institution.
    Comment: One commenter requested that the Department clarify that 
PII from education records disclosed without obtaining consent under 
the audit or evaluation exception must be limited to PII related to 
educational data, given the wider variety of health information and 
other PII included in the school records of students with disabilities.
    Discussion: Under the audit or evaluation exception, PII from 
education records may be disclosed without consent only to audit or 
evaluate Federal- or State-supported education programs, or to enforce 
or to comply with Federal legal requirements related to such programs. 
If PII from education records related to a student's health is 
necessary to evaluate an education program, this information may be 
disclosed without obtaining consent, provided all other requirements in 
the regulations are met. However, the same information would not be 
permitted to be disclosed without obtaining consent to evaluate the 
effectiveness of a health program.
    Changes: None.

Definition of Authorized Representative (Sec. Sec.  99.3 and 99.35)

    Comment: Numerous commenters expressed support for our proposed 
definition of the term ``authorized representative.'' Among other 
reasons given for support, commenters stated that they were confident 
that the definition would facilitate better evaluations or would lead 
to an increased ability to conduct evaluations of Federal- and State-
supported education programs. One commenter stated that the proposed 
definition was appropriate and necessary and reasonable in scope. One 
commenter was especially pleased that an SEA or LEA would have the 
ability to designate an individual or entity under the new definition 
for the purposes of conducting evaluations. Multiple commenters stated 
that the proposed definition would assist SEAs in handling PII 
disclosed from education records and in linking it across sectors, 
including the education and workforce sectors for the purposes of an 
audit, evaluation, or enforcement or compliance activity.
    Finally, one commenter stated that FERPA-permitted entities under 
Sec.  99.31 should include tribal education agencies (TEAs). This 
commenter contended that because FERPA regulations allow for the 
disclosure, without consent, of PII from education records to ``State 
and local educational authorities'' for audit or evaluation of Federal- 
and State-funded education programs, TEAs--the education arms of 
sovereign tribal governments--should also be allowed to access PII from 
education records without consent.
    Discussion: The Department agrees with these commenters that the 
definition of the term ``authorized representative'' in the final 
regulations will increase the ability of FERPA-permitted entities to 
conduct audits or evaluations of Federal- and State-funded education 
programs, including those that link PII from education records across 
the education and workforce sectors.
    As for TEAs, the Department's current interpretation of ``State and 
local educational authorities'' does not include them. Although the 
Department, as part of its proposal for the reauthorization of ESEA, 
supports strengthening the role of TEAs in coordinating and 
implementing services and programs for Indian students within their 
jurisdiction, we did not propose to define the term ``State and local 
educational authorities'' in the NPRM and, therefore, decline to 
regulate on it without providing the public with notice and the 
opportunity to comment. The Department's interpretation of the term 
``State and local educational authorities'' does, however, include BIE.
    Changes: None.
    Comment: One commenter requested that we clarify the proposed 
definition of the term ``authorized representative'' to make it more 
similar to the regulatory language currently used in Sec.  99.35(a)(1). 
This commenter expressed concern that, in our proposed definition, an 
authorized representative could be interpreted to mean an individual or 
entity who is engaged only in activities connected to Federal legal 
requirements related to Federal or State supported education programs. 
The commenter noted that Sec.  99.35(a)(1) addresses both audit or 
evaluation activities associated with a Federal- or State-supported 
education program, and activities associated with enforcement of, or 
compliance with, Federal legal requirements that relate to those 
programs. The commenter recommended that we clarify the definition of 
the term ``authorized representative'' to align it with Sec.  
99.35(a)(1) and make clear that the Federal legal requirement only 
modifies the compliance or enforcement activity. Specifically, when 
describing the activities an authorized representative can carry out, 
the commenter requested we add an ``or'' between the words ``audit'' 
and ``evaluation,'' as opposed to a comma, and the word ``any'' before 
the term ``compliance or enforcement activity.''
    Discussion: We intend for our definition of the term ``authorized 
representative'' to cover both an individual or an entity engaged in 
the enforcement of or compliance with Federal legal requirements 
related to Federal- or State-supported education programs, and also to 
cover an individual or an entity conducting an audit or evaluation of a 
Federal- or State-supported education program. Accordingly, we are 
making this clarification in the definition.
    Changes: We have made the minor changes suggested by the commenter 
to the definition of ``authorized representative''.
    Comment: Multiple commenters suggested that the Department exceeded

[[Page 75616]]

its legal authority by proposing to define the term ``authorized 
representative.'' While acknowledging that FERPA does not define this 
term, these commenters stated that authorized representatives should 
only consist of the Comptroller General, the Attorney General, the 
Secretary, and State and local educational authorities since FERPA 
specifically allows for the disclosure of PII from education records to 
these entities. The commenters contended that expanding the definition 
beyond the four entities specifically identified in FERPA would be 
impermissible and that such a change would require congressional 
action. A few commenters pointed to a statement from the preamble to 
the final FERPA regulations (73 FR 74806, 74828) published in the 
Federal Register on December 9, 2008, in which the Department stated 
that ``any further expansion of the list of officials and entities in 
FERPA that may receive education records without the consent of the 
parent or the eligible student must be authorized by legislation 
enacted by Congress.''
    Other commenters objected to the rescission of the ``direct 
control'' requirement contained in the policy guidance on authorized 
representatives issued by then-Deputy Secretary of Education William D. 
Hansen in a memorandum dated January 30, 2003 (Hansen Memorandum). The 
Hansen Memorandum required that under the ``audit or evaluation 
exception,'' an authorized representative of a State educational 
authority must be a party under the direct control of that authority, 
e.g., an employee or a contractor. Under the Hansen Memorandum, an SEA 
or other State educational authority could not disclose PII without 
consent from education records to other State agencies, such as a State 
health and human services department, a State unemployment insurance 
department, or a State department of labor because these State agencies 
were not under the SEA's direct control.
    Commenters further cited the conclusion in the Hansen Memorandum 
that the two references to the word ``officials'' in paragraph (b)(3) 
of FERPA reflect a congressional concern that the authorized 
representatives of a State educational authority be under the direct 
control of that authority. Specifically, commenters relied upon a 
December 13, 1974, joint statement in explanation of the Buckley/Pell 
Amendment (Joint Statement) that suggested that FERPA ``restricts 
transfer, without the consent of parents or students, of PII concerning 
a student to * * * auditors from the General Accounting Office and the 
Department of Health, Education, and Welfare.'' From this Joint 
Statement, these commenters suggested that Congress did not intend for 
``authorized representative'' to be defined as broadly.
    Commenters also cited several policy reasons for precluding other 
entities from serving as authorized representatives of FERPA-permitted 
entities, including that this definition would weaken the 
accountability of State or local educational authorities and would 
allow criminals, repeated privacy violators, and those with dubious 
standing to serve as authorized representatives. One commenter 
questioned whether individual State politicians or private companies 
could be authorized representatives.
    One commenter, though supporting our definition of the term 
``authorized representative,'' suggested that the definition of the 
term was too narrow and should be broadened to include child welfare 
agencies and their obligations to monitor the education outcomes of the 
children in their care. One commenter challenged the Department's 
proposed definition of ``authorized representative'' on the grounds 
that it constituted an unlawful sub-delegation of the Department's 
statutory authority by vesting the interpretation of FERPA in non-
Federal entities. This commenter cited U.S. Telecom Ass'n v. F.C.C., 
359 F.3d 554, 565 (DC Cir., cert. denied, 543 U.S. 925 (2004), in 
support of the position that such delegations are ``improper absent an 
affirmative showing of congressional authorization.''
    Discussion: It is important to note that FERPA does not define the 
term ``authorized representative.'' In the absence of a statutory 
definition, the Supreme Court has made it clear that it is appropriate 
to ``construe a statutory term in accordance with its ordinary or 
natural meaning.'' See, e.g., FDIC v. Meyer, 510 U.S. 471, 476 (1994).
    In this case, ``authorize'' is commonly understood to mean to: 
``Invest especially with legal authority: EMPOWER * * *.'' 
``Representative'' is commonly understood to mean: ``* * * standing or 
acting for another especially through delegated authority * * *.'' 
Merriam-Webster's Collegiate Dictionary (11th Ed. 2011).
    Following these standard definitions of ``authorize'' and 
``representative,'' it is entirely appropriate that we permit State 
educational authorities, the Secretary, the Comptroller General, and 
the Attorney General to have the flexibility and discretion to 
determine who would best be able to represent them in connection with 
audits, evaluations, or enforcement or compliance activities. 
Restricting their discretion to select only their own officers and 
employees or those under their ``direct control'' is not required by 
the term's plain, dictionary meaning.
    Additionally, we do not find the policy concerns for precluding 
other entities from serving as authorized representatives offered by 
commenters to be persuasive. While nothing in the final regulations 
specifically prohibits a State politician or private company, for 
example, from being designated as an authorized representative, the 
full requirements under FERPA must be met before PII from education 
records may be disclosed to any party. These regulations do not expand 
any of the reasons an individual or an entity can be designated as an 
authorized representative. As before, it may only be done to conduct an 
audit, evaluation, or enforcement or compliance activity. For example, 
to authorize a representative to conduct an evaluation, there must be a 
written agreement specifying the terms of the disclosure, and PII from 
education records may only be used for the purposes specified in the 
written agreement; the FERPA-permitted entity authorizing the 
evaluation must also take reasonable methods to ensure to the greatest 
extent practicable that its authorized representative complies with 
FERPA, as is explained in the ``Reasonable Methods (Sec.  
99.35(a)(2)),'' section later in this preamble. If an individual or 
organization sought access to PII from education records for its own 
purpose, disclosure of the PII from education records without consent 
would not be permitted under FERPA, and the FERPA-permitted entity must 
not authorize the representative or permit the disclosure of PII from 
education records without consent. The written agreement operates as a 
contract between the FERPA-permitted entity and the authorized 
representative, so in the event that an individual or entity misuses 
PII from education records for purposes other than those that are 
authorized, there would be recourse according to the terms specified in 
the written agreement, in addition to any enforcement actions the 
Department may take.
    Also, we continue to believe that there are good policy reasons to 
allow other agencies to serve as authorized representatives of FERPA-
permitted entities. As we explained in the NPRM, we believe that our 
prior interpretation of the term ``authorized representative'' unduly 
restricted State and local educational authorities from disclosing PII 
from education records for the purpose of obtaining data on post-

[[Page 75617]]

school outcomes, such as employment of their former students, in order 
to evaluate the effectiveness of education programs. Accordingly, we 
believe that our interpretation reflected in these final regulations 
reasonably permits State and local educational authorities, the 
Secretary, the Comptroller General, and the Attorney General of the 
United States to have the necessary flexibility and discretion to 
determine who may represent them with respect to audits and evaluations 
of Federal- or State-supported education programs and to enforce and to 
comply with Federal legal requirements that relate to such programs, 
subject to the requirements in FERPA.
    Some commenters also appear to have misunderstood the Department's 
previous interpretation of the term ``authorized representative'' and 
mistakenly assumed that the Department has historically only permitted 
employees and contractors of FERPA-permitted entities to serve as 
authorized representatives. This is not the case. For instance, prior 
to the issuance of the Hansen Memorandum in 2003, the Department 
entered into a memorandum of agreement with the Centers for Disease 
Control and Prevention (CDC) in which the Department designated the CDC 
to serve as its authorized representative for purposes of collecting 
information under the Metropolitan Atlanta Developmental Disabilities 
Surveillance Program.
    Further, prior to the Hansen Memorandum, the Department had 
provided guidance that State educational authorities could designate a 
State Unemployment Insurance agency as an authorized representative for 
the purpose of conducting wage record matches to carry out the 
performance reporting requirements of the Workforce Investment Act 
(WIA). Memorandum on Application of FERPA to Reporting for Eligible 
Training Providers under Title I of WIA from Judith A. Winston, 
Undersecretary of the Department of Education, (January 19, 2001).
    Further, in the 2008 FERPA regulations, the term ``authorized 
representative'' was not limited to employees and contractors of the 
FERPA-permitted entities. In the preamble to those regulations, we 
wrote:

    In general, the Department has interpreted FERPA and 
implementing regulations to permit the disclosure of personally 
identifiable information from education records, without consent, in 
connection with the outsourcing of institutional services and 
functions. Accordingly, the term ``authorized representative'' in 
Sec.  99.31(a)(3) includes contractors, consultants, volunteers, and 
other outside parties (i.e., nonemployees) used to conduct an audit, 
evaluation, or compliance or enforcement activities specified in 
Sec.  99.35, or other institutional services or functions for which 
the official or agency would otherwise use its own employees. For 
example, a State educational authority may disclose personally 
identifiable information from education records, without consent, to 
an outside attorney retained to provide legal services or an outside 
computer consultant hired to develop and manage a data system for 
education records.

73 FR 74806, 74825 (Dec. 9, 2008).

    In other words, since 2008, we have included within the definition 
of ``authorized representative'' any outside party used to conduct an 
audit, evaluation, or enforcement or compliance activity specified in 
Sec.  99.35, or other institutional services or functions for which the 
official or agency would otherwise use its own employees. These outside 
parties were required to be under the direct control of an SEA pursuant 
to the Hansen Memorandum; however, as we discuss in further detail in 
the following paragraphs, the Department has decided to eliminate the 
Hansen Memorandum's direct control requirement in these final 
regulations.
    The statement in the preamble to the 2008 final regulations that 
``any further expansion of the list of officials and entities in FERPA 
that may receive education records without the consent of the parent or 
the eligible student must be authorized by legislation enacted by 
Congress,'' means that any expansion of the current statutory 
exceptions to the consent requirement must be authorized by Congress. 
Today's change is not an expansion of the statutory exceptions to the 
consent requirement; rather it is a modification of the Department's 
interpretation of a term used in one of FERPA's existing statutory 
exceptions to consent so as to be consistent with recent developments 
in the law.
    Moreover, the 2008 FERPA amendments did not provide an exhaustive 
or comprehensive list of the exceptions to the written consent 
requirement that would permit disclosure to non-educational State 
agencies. Rather, we noted that there are ``some exceptions that might 
authorize disclosures to non-educational State agencies for specified 
purposes'' and listed as examples disclosures made under the health or 
safety emergency exception (Sec. Sec.  99.31(a)(10) and 99.36), the 
financial aid exception (Sec.  99.31(a)(4)), or pursuant to a State 
statute under the juvenile justice exception (Sec. Sec.  99.31(a)(5) 
and 99.38). This was not an exhaustive listing of FERPA exceptions to 
the general consent requirement that would permit disclosure to non-
educational State agencies. For example, a disclosure without consent 
also may be made to non-educational State agencies pursuant to the 
exception for lawfully issued subpoenas (Sec.  99.31(a)(9)), but this 
was not included in the 2008 preamble.
    Even if the preamble to the 2008 final regulations clearly stated 
that the officials and agencies listed under Sec.  99.31(a)(3)(i) 
through (a)(3)(iv) could not designate non-educational State agencies 
as their authorized representatives--which it did not--the Department 
still retains the authority to change its interpretation through 
notice-and-comment rulemaking, especially in light of recent 
legislation. Accordingly, because the term ``authorized 
representative'' is not defined in the statute, and the America 
COMPETES Act and ARRA have provided evidence of Congressional intent to 
expand and develop SLDS to include early childhood, postsecondary, and 
workforce information, the Department has decided to change its 
interpretation of the term ``authorized representative'' in order to 
permit State and local educational authorities, the Secretary of 
Education, the Comptroller General, and the Attorney General of the 
United States to have greater flexibility and discretion to designate 
authorized representatives who may access PII from education records as 
needed to conduct an audit, evaluation, or enforcement or compliance 
activity specified in Sec.  99.35.
    In response to commenters who objected to the rescission of the 
Hansen Memorandum's direct control requirement, the direct control 
requirement is not found in FERPA and is inconsistent with requirements 
of the America COMPETES Act and ARRA. We do not interpret the two 
references to the word ``officials'' in paragraph (b)(3) of FERPA as 
defining who may serve as an authorized representative of the officials 
listed in the exception. This would, in fact, limit those who could 
serve as an authorized representative to officials of the heads of 
agencies listed, which is inconsistent with the position adopted by the 
Hansen Memorandum. Rather, we interpret the word ``officials'' in 
paragraph (b)(3) of FERPA as simply a reference back to the four 
officials who are listed in the exception: the Secretary, the 
Comptroller General, the Attorney General of the United States, and 
State educational authorities.
    The 1974 Joint Statement stated that ``existing law restricts 
transfer, without the consent of parents or students, of personally 
identifiable information

[[Page 75618]]

concerning a student to * * * auditors from the General Accounting 
Office and the Department of Health, Education, and Welfare * * *'' 120 
Cong. Rec. at 39863 (December 13, 1974). FERPA, however, was originally 
enacted on August 21, 1974. Thus, the Joint Statement provides little 
more than a retrospective narrative background regarding the exception 
to consent in 20 U.S.C. 1232g(b)(1)(C) and (b)(3), which already was in 
existing law and was not being amended in December 1974. Further, the 
Joint Statement only provides a short-hand and incomplete summary of 
this exception to consent. Significantly, the Joint Statement omits 
many aspects of this then-existing exception, which in addition to 
permitting disclosure of PII from education records without consent to 
``authorized representatives of'' the Comptroller General and the 
Secretary of Health, Education, and Welfare (as referred to in the 
Joint Statement) also permitted disclosure without consent to 
``authorized representatives of'' ``State educational authorities'' and 
``an administrative head of an education agency.'' See section 513 of 
Pub. L. 93-380 (August 21, 1974). Further, this then existing exception 
to consent permitted disclosure of PII from education records without 
consent not only for the conduct of audits by auditors (as referred to 
in the Joint Statement), but also for the conduct of evaluations and 
the enforcement of Federal legal requirements. Id.
    While we support the efforts in the Hansen Memorandum to protect 
student privacy, the Hansen Memorandum's direct control requirement 
resulted in State and local educational authorities engaging in 
convoluted processes to conduct an audit, evaluation, or enforcement or 
compliance activity that may serve only to increase costs and lessen 
privacy protection. Student privacy can be protected without having to 
prohibit disclosure of PII from education records to other entities in 
order to conduct an audit, evaluation, or enforcement or compliance 
activity. Although increased data sharing may result from our 
definition of ``authorized representative,'' it still would only be 
permitted under the terms of the exception. To disclose PII from 
education records without consent to an authorized representative 
(other than an employee), the exception requires written agreements and 
the use of reasonable methods to ensure to the greatest extent 
practicable FERPA compliance by an authorized representative. Further, 
an authorized representative's use of PII from education records is 
restricted to audits, evaluations, or enforcement or compliance 
activities.
    The Department also disagrees that its definition of ``authorized 
representative'' constitutes an unlawful sub-delegation of authority to 
non-Federal entities. Although U.S. Telecom stands for the proposition 
that certain Federal agency sub-delegations are improper, its holding 
is inapposite when applied to the Department's definition of the term 
``authorized representative'' in Sec.  99.3. Unlike the statutory 
language in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) that specifically 
identifies authorized representatives of the designated entities as 
potential recipients to whom PII from education records may be 
disclosed without consent, the authorizing statute at issue in U.S. 
Telecom assigned the FCC the specific responsibility of making 
impairment determinations:

    ``* * * the Commission shall consider, at a minimum, whether--
(A) access to such network elements as are proprietary in nature is 
necessary; and (B) the failure to provide access to such network 
elements would impair the ability of the telecommunications carrier 
seeking access to provide the services that it seeks to offer''.

    See 47 U.S.C. 251(d)(2). The U.S. Telecom court rejected the FCC's 
argument that it possessed the presumptive authority to sub-delegate 
its statutory decisionmaking responsibilities to any party absent 
congressional intent to the contrary. In this case, however, the 
Department is not attempting to delegate its decisionmaking authority 
and is only permitting authority for an audit, evaluation, or 
enforcement or compliance activity to be delegated to authorized 
representatives of FERPA-permitted entities, as Congress specifically 
identified in FERPA.
    U.S. Telecom is similarly distinguished in Fund for Animals v. 
Norton, 365 F. Supp. 2d 394 (S.D.N.Y. 2005), which held that the Fish 
and Wildlife Service (FWS) did not act unlawfully by delegating limited 
authority over management of cormorant populations to regional FWS and 
State wildlife services directors, State agencies, and federally 
recognized Indian Tribes. Fund for Animals emphasized that FWS' 
delegation was not inconsistent with the statutory requirements and 
thus was entitled to deference under the Supreme Court's decision in 
Chevron U.S.A. Inc. v. NRDC, 467 U.S. 837 (1984). Id. at 410-11. Unlike 
the FCC's wholesale delegation to State commissioners of its statutory 
responsibility to make access determinations under 47 U.S.C. 251(d)(2), 
the FWS retained ultimate control over the delegates' determinations.
    Likewise, in adopting the definition of the term ``authorized 
representative,'' the Department is not delegating its statutory 
authority to address violations of FERPA under 20 U.S.C. 1232g(f). The 
Department is simply delegating the authority to the entities specified 
in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) to determine who may serve as 
their authorized representatives to conduct an audit, evaluation, or 
enforcement or compliance activity. This delegation is premised on 
compliance with other statutory and regulatory conditions, in 
connection with audits, evaluations, or enforcement or compliance 
activities.
    Some commenters asked that we expand the definition of the term 
``authorized representative'' to include child welfare agencies, to 
allow these agencies to monitor the educational outcomes of children 
under their care and responsibility. Paragraph (b)(3) of FERPA, 
however, does not allow this expansion of the purposes for which PII 
from education records may be used by authorized representatives. While 
we agree that authorized representatives of State educational 
authorities may generally include child welfare agencies, authorized 
representatives may only access PII from education records under 
paragraph (b)(3) of FERPA in order to conduct audits, evaluations, or 
enforcement or compliance activities.
    Changes: None.
    Comment: One commenter expressed concern about being held 
responsible for the disclosure of PII from education records to an 
authorized representative over which it does not have direct control, 
such as another State agency, if the authorized representative 
improperly rediscloses that information. This commenter, therefore, 
recommended that the FERPA regulations provide that a State or local 
educational authority is not required to comply with FERPA in regard to 
PII from education records that it discloses to an authorized 
representative over which it does not have direct control. In the 
alternative, this commenter requested that the regulations clarify that 
a State or local educational authority retains control over the entity 
or individual designated as its authorized representative through the 
required written agreement to ensure PII from education records is 
protected from unauthorized redisclosure.
    Discussion: Like any disclosing entity, State or local educational 
authorities have an important responsibility to

[[Page 75619]]

protect the privacy of PII from education records. To carry out this 
responsibility, a State or local educational authority must use 
reasonable methods to ensure to the greatest extent practicable that 
its authorized representative is complying with FERPA. A disclosing 
State or local educational authority, such as an SEA, also must enter 
into a written agreement with its authorized representative that 
details the responsibilities of both parties to protect the PII from 
education records disclosed to the authorized representative by the 
educational authority. If the State or local educational authority, 
such as an SEA, does not have confidence that the authorized 
representative will meet its responsibilities under the written 
agreement to protect PII from education records, the State or local 
educational authority should not authorize the individual or entity as 
a representative. The Department would be abdicating its responsibility 
under FERPA to protect the privacy of PII from education records if we 
released a State or local educational authority from responsibility 
when it discloses PII from education records to an authorized 
representative that is not under its direct control, such as another 
State agency.
    Changes: None.
    Comment: One commenter stated that, because the definition of 
``authorized representative'' would allow ``any individual or entity'' 
to be designated as an authorized representative, the Department 
appears to be adopting a position under which an authorized 
representative is not required to have a ``legitimate educational 
interest'' to receive PII from education records under the audit or 
evaluation exception.
    Discussion: We believe the regulations clearly articulate that a 
FERPA-permitted entity may only disclose PII from education records to 
an authorized representative under the audit or evaluation exception if 
the authorized representative will use PII from education records for 
one of the statutorily-specified purposes, i.e., if it is needed to 
conduct audits, evaluations, or enforcement or compliance activities. 
We have revised the regulations regarding written agreements between 
FERPA-permitted entities and their authorized representatives to 
include a requirement that the written agreement establish the policies 
and procedures that limit the use of PII from education records to only 
authorized representatives for statutorily-specified purposes. If an 
authorized representative receives PII from education records for one 
of these statutorily-specified purposes, then this constitutes a 
legitimate interest in receiving PII from education records. We have 
not required that authorized representatives have ``legitimate 
educational interests'' in receiving PII from education records, as 
suggested by the commenter, because we already require in Sec.  
99.31(a)(1) of the current regulations that educational agencies and 
institutions must determine that school officials have legitimate 
educational interests. Because authorized representatives differ from 
school officials and may receive PII from education records only for 
statutorily-specified purposes, we refer to the interests of authorized 
representatives in receiving PII from education records as ``legitimate 
interests.''
    Changes: We have revised Sec.  99.35(a)(3)(v) to substitute the 
phrase ``authorized representatives with legitimate interests in the 
audit or evaluation of a Federal- or State-supported education program 
or for compliance or enforcement of Federal legal requirements related 
to these programs'' for the phrase ``authorized representatives with 
legitimate interests.''
    Comment: Some commenters indicated that the proposed definition of 
``authorized representative'' should be amended so that authorized 
representatives may use PII from education records for any compliance 
or enforcement activity in connection with State legal requirements 
that relate to Federal- or State-supported education programs, as 
opposed to just Federal legal requirements.
    Discussion: The Department lacks the statutory authority to make 
the requested change to expand the disclosures of PII from education 
records permitted without consent to include compliance or enforcement 
activity in connection with State legal requirements that relate to 
Federal- or State-supported education programs. Specifically, section 
(b)(3) and (b)(5) of FERPA only permit the disclosure of PII from 
education records, without consent, ``in connection with the 
enforcement of the Federal legal requirements'' that relate to Federal- 
or State-supported education programs. Accordingly, the Department is 
unable to expand the permitted disclosures of PII from education 
records to include a compliance or enforcement activity in connection 
with State legal requirements.
    Changes: None.
    Comment: One commenter also requested that, in lieu of the proposed 
definition of ``authorized representative,'' we provide that State 
agencies or other entities responsible for an education program, as 
that term was defined in the NPRM, are educational authorities for the 
limited purpose of the administration of their Federal- or State-
supported education programs and that such entities are subject to the 
enforcement powers of the Department.
    Discussion: We did not propose in the NPRM to define the term 
``State and local educational authorities,'' which is used in Sec.  
99.31(a)(3). Therefore, we do not believe it is appropriate to define 
this term without providing the public with notice and the opportunity 
to comment on a proposed definition. Further, we do not agree that 
every entity that is responsible for an ``education program'' would be 
considered a State or local educational authority. As explained earlier 
in the preamble, the Department has generally interpreted the term 
``State and local educational authorities'' to mean LEAs, SEAs, State 
postsecondary commissions, BIE, or entities that are responsible for 
and authorized under State or Federal law to supervise, plan, 
coordinate, advise, audit, or evaluate elementary, secondary, or 
postsecondary education programs and services in the State. Thus, we 
would not consider individual schools or early learning centers to be 
State or local educational authorities. Finally, the Department's 
enforcement powers with respect to a State or local educational 
authority are dependent on whether the educational authority receives 
funding under a program administered by the Secretary. If an 
educational authority does not receive such funding, then the 
Department's only FERPA enforcement measure would be the five-year 
rule.
    Changes: None.
    Comment: Several commenters stated that the Department should adopt 
additional remedies or sanctions to hold authorized representatives 
accountable.
    Discussion: FERPA authorizes the Secretary to pursue specific 
remedies against recipients of funds under programs administered by the 
Secretary. Congress expressly directed the Secretary to ``take 
appropriate actions'' to ``enforce'' FERPA and ``to deal with 
violations'' of its terms ``in accordance with [GEPA].'' 20 U.S.C. 
1232g(f). In GEPA, Congress provided the Secretary with the authority 
and discretion to take enforcement actions against any recipient of 
funds under any program administered by the Secretary for failures to 
comply substantially with FERPA (or other requirements of applicable 
law). 20 U.S.C. 1221 and 1234c(a). GEPA's enforcement methods expressly 
permit the Secretary to issue a complaint to compel compliance

[[Page 75620]]

through a cease and desist order, to recover funds improperly spent, to 
withhold further payments, to enter into a compliance agreement, or to 
``take any other action authorized by law,'' including suing for 
enforcement of FERPA's requirements. 20 U.S.C. 1234a, 1234c(a), 1234d, 
1234e; 1234f; 34 CFR 99.67(a); see also United States v. Miami Univ., 
294 F.3d 797 (6th Cir. 2002) (affirming district court's decision that 
the United States may bring suit to enforce FERPA). Thus, if an 
authorized representative receives funds under a program administered 
by the Secretary, the Department has the authority to enforce failures 
to comply with FERPA under any of GEPA's enforcement methods. If an 
authorized representative does not receive funds under a program 
administered by the Secretary and improperly rediscloses PII from 
education records, then the only remedy available under FERPA against 
the authorized representative would be for the Department to prohibit 
the disclosing educational agency or institution from permitting the 
authorized representative from accessing PII from education records for 
a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These 
are the only remedies available to the Department to enforce FERPA. 
Remedies, such as assessing fines against any entity that violates 
FERPA, are not within the Department's statutory authority.
    Under the FERPA regulations, and in accordance with its 
longstanding practice, the Department only will take an enforcement 
action if voluntary compliance and corrective actions cannot first be 
obtained. If the violating entity refuses to come into voluntary 
compliance, the Department can take the above listed enforcement 
actions. However, in addition to these statutorily authorized remedies, 
we encourage FERPA-permitted entities to consider specifying additional 
remedies or sanctions as part of the written agreements with their 
authorized representatives under Sec.  99.35 in order to protect PII 
from education records. Written agreements can be used to permit 
increased flexibility in sanctions, to the extent that the desired 
sanction is permitted under law.
    Changes: None.

Reasonable Methods (Sec.  99.35(a)(2))

    Comment: Commenters were split on whether it was appropriate to 
define ``reasonable methods'' in the regulations. Some commenters 
agreed that the Department should not prescribe reasonable methods in 
the regulations and welcomed the additional flexibility offered by the 
proposed regulations. Others criticized the failure of the proposed 
regulations to require specific reasonable methods, contending that the 
Department was taking steps to allow more access to PII from education 
records but was not taking commensurate steps to prevent misuse of PII 
from education records being disclosed. One commenter requested further 
clarification on the expected enforcement actions the Department would 
take if an LEA or SEA did not use reasonable methods to ensure that its 
authorized representatives were in compliance with FERPA before 
disclosing PII from education records to them.
    Discussion: The Department proposed the reasonable methods 
requirement to increase accountability so that FERPA-permitted entities 
disclosing PII from education records hold their authorized 
representatives accountable for complying with FERPA. FERPA-permitted 
entities must monitor the data handling practices of their own 
employees. They must also use reasonable methods to ensure FERPA 
compliance to the greatest extent practicable by their authorized 
representatives. The Department believes that FERPA-permitted entities 
should be accorded substantial flexibility to determine the most 
appropriate reasonable methods for their particular circumstances. In 
other words, what constitutes a reasonable method for ensuring 
compliance is not a one-size-fits-all solution; there are numerous 
actions a FERPA-permitted entity may take to ensure to the greatest 
extent practicable FERPA compliance by its authorized representatives. 
Nonetheless, while the Department is granting more flexibility to 
determine appropriate reasonable methods given the specific 
circumstances of the data disclosure, the Department will consider a 
FERPA-permitted entity disclosing PII from education records to its 
authorized representative without taking any reasonable methods to be 
in violation of FERPA and subject to enforcement actions by the 
Department.
    It is worth noting that the FERPA regulations already require that 
educational agencies and institutions use reasonable methods such as 
access controls so that school officials only may access those 
education records in which they have a legitimate educational interest. 
See Sec.  99.31(a)(1)(ii). The lack of specificity in Sec.  
99.31(a)(1)(ii) is appropriate, given variations in conditions from 
school-to-school. The Department believes similar flexibility is 
appropriate when FERPA-permitted entities disclose PII from education 
records to authorized representatives.
    While the Department declines to impose specific requirements for 
reasonable methods, we are issuing non-regulatory guidance on best 
practices for reasonable methods as Appendix A. Variations of the 
elements appear in Appendix A as best practices for written agreements. 
In the following paragraphs, we provide a summary and discussion of the 
various suggestions for reasonable methods the Department received in 
response to the NRPM, and discuss whether we consider them best 
practices. Please note that Appendix A may also include best practices 
that were not mentioned by commenters, but that the Department believes 
would result in both increased data and privacy protection.
    Reasonable methods are those actions the disclosing FERPA-permitted 
entity would take to ensure to the greatest extent practicable that its 
authorized representative complies with FERPA. The disclosing FERPA-
permitted entity should generally take most of these actions by 
requiring them in its written agreement with its authorized 
representative. Many commenters discussed how reasonable methods could 
ensure FERPA compliance, but some commenters suggested that these 
techniques be required for FERPA-permitted entities in addition to 
their authorized representatives. While this is beyond the scope of the 
reasonable methods contemplated in the regulations, the best practices 
that the Department provides apply equally to other entities as a 
starting point for good data governance, the responsible use of data, 
and the protection of student privacy.
    The Department has already produced several technical briefs that 
address many of the suggestions the Department received on reasonable 
methods and written agreements: ``Basic Concepts and Definitions for 
Privacy and Confidentiality in Student Education Records,'' ``Data 
Stewardship: Managing Personally Identifiable Information in Electronic 
Student Education Records,'' and ``Statistical Methods for Protecting 
Personally Identifiable Information in Aggregate Reporting.'' The 
briefs can be found at http://nces.ed.gov/programs/ptac/Toolkit.aspx?section=Technical%20Briefs. The Department is continually 
looking to improve the best practices information found in the briefs 
and encourages comments and suggestions to be emailed to the Department 
at SLDStechbrief@ed.gov. As with the best practices in Appendix A to 
this document, these briefs serve as resources for practitioners to 
consider

[[Page 75621]]

adopting or adapting to complement the work they are already doing; 
they are not one-size-fits-all solutions.
    Changes: None.
    Comment: One commenter objected to the use of the word ``ensure,'' 
as it was proposed in Sec.  99.35(a)(2), stating the term was 
``unrealistic and misleading'' as nothing could definitively ensure 
that FERPA violations would not happen.
    Discussion: The Department agrees with the commenter and is 
changing the language concerning reasonable methods in Sec.  
99.35(a)(2) to clarify that we expect FERPA-permitted entities to be 
responsible for using reasonable methods to ensure to the greatest 
extent practicable that their authorized representatives protect PII 
from education records in accordance with FERPA.
    Changes: Section 99.35(a)(2) has been revised to state that FERPA-
permitted entities are ``responsible for using reasonable methods to 
ensure to the greatest extent practicable that any entity or individual 
designated as its authorized representative'' protects PII from 
education records.
    Comment: The Department received multiple suggestions on actions a 
FERPA-permitted entity should take to verify that its authorized 
representative is trustworthy and has a demonstrated track record of 
protecting data responsibly. Several comments suggested the need to 
verify that an authorized representative has disciplinary policies and 
procedures in place to ensure that employees who violate FERPA are 
dealt with appropriately, including possible termination of employment. 
Others suggested that individuals accessing PII from education records 
as authorized representatives should be required to undergo criminal 
background checks. A number of commenters suggested that the Department 
require verification that the authorized representative has a training 
program to teach employees who will have access to PII from education 
records about their responsibilities under FERPA. A common suggestion 
was to require the authorized representative to verify that it has no 
previous record of improperly disclosing PII from education records. 
One possible method of corroboration included requiring the authorized 
representative to divulge under penalty of perjury, both to the entity 
disclosing the data and to the general public, parents, and students, 
whether it has violated any written agreements or otherwise 
inappropriately disclosed FERPA-protected data. Another suggested 
receiving assurances that the authorized representative has no previous 
record of improperly disclosing PII from education records and that it 
is not currently ``under suspension'' from any State or local 
educational authority for inappropriate disclosure of student data. 
Multiple commenters also suggested that the Department publish a list 
of individuals or entities we found to have violated FERPA and against 
which we have taken enforcement actions. Some commenters stated that 
reasonable methods should include verifying that the authorized 
representative is not on that list published by the Department, while 
others suggested that individuals and entities on the list should be 
prevented from entering into future written agreements with all other 
FERPA-permitted entities, not just the FERPA-permitted entity whose 
data were mishandled.
    Discussion: The Department agrees that it is vital to verify that 
the individual or entity acting as an authorized representative has 
proven that it is trustworthy and has policies and procedures in place 
to continue that record. While the Department will not mandate any 
specific requirements, the best practices for reasonable methods in 
Appendix A include:
     Verify the existence of disciplinary policies to protect 
data. The FERPA-permitted entity may want to verify that its authorized 
representative has appropriate disciplinary policies for employees that 
violate FERPA. This can include termination in appropriate instances.
     Know to whom you are disclosing data. The FERPA-permitted 
entity may want to require its authorized representative to conduct 
background investigations of employees who will have access to PII from 
education records, or it may want to conduct these investigations 
itself. Additionally, the FERPA-permitted entity may want to require 
its authorized representative to disclose past FERPA or data management 
violations. If the FERPA-permitted entity discovers past violations, it 
would want to explore the circumstances behind the violation, and 
discover all information that would allow it to make an informed 
judgment on whether the individual or entity is likely to be a 
responsible data steward. This may include discovering whether the 
violation was covered up, including if it was voluntarily reported to 
affected students or FPCO, and whether appropriate breach response 
procedures were followed.
     Verify training. The FERPA-permitted entity may want to 
verify that its authorized representative has a training program to 
teach its employees about FERPA and how to protect PII from education 
records, or the FERPA-permitted entity may want to train its authorized 
representatives itself.
    As these are best practices, it is up to the FERPA-permitted 
entities to determine which actions are appropriate based on the 
circumstances; it is their responsibility to determine whether their 
authorized representatives understand their obligations under FERPA and 
whether they are likely to comply with FERPA's requirements. For 
example, even if an authorized representative discloses a past FERPA 
violation, a FERPA-permitted entity may nonetheless determine that the 
circumstances are such that it is still appropriate to disclose PII 
from education records to that individual or entity. The disclosing 
entity should take all factors into account, including the length of 
time since the violation, subsequent good behavior, corrective actions 
taken to negate the possibility of any similar future violations, etc.
    For the time being, the Department has decided not to implement the 
idea of compiling a list of FERPA violators. The Department believes 
that a public list of entities that have violated FERPA is an 
intriguing idea and will continue to keep this idea in mind and 
possibly implement it at a later date.
    The Department declines to broaden the requirement that, under the 
five-year rule, the authorized representative is prevented only from 
receiving PII from education records from the educational agency or 
institution that originally disclosed the PII from education records. 
The statutory language is clear that the five-year rule only permits 
the Department to prohibit further disclosures from the educational 
agenc(ies) or institution(s) which maintained the original education 
records from which PII was improperly redisclosed.
    If an authorized representative is alleged to have violated FERPA, 
the Department will also investigate the complaint to determine the 
extent to which the disclosing FERPA-permitted entity employed 
reasonable methods. The Department's investigation will consider the 
reasonable methods taken and the specific circumstances of the 
disclosure.
    Changes: None.
    Comment: Numerous commenters suggested that FERPA-permitted 
entities should require their authorized representatives to use 
specific data security methods in order to ensure FERPA compliance. 
Many commenters provided suggestions for data security methods, 
including: Requiring strong encryption, publishing security

[[Page 75622]]

guidelines, instituting dual-key login, preparing formal security 
assessments, instituting a security audit program, completing formal 
risk assessments, monitoring security events, creating data disposal 
procedures, implementing access controls, and monitoring physical 
security controls, including what people keep on their desks and 
printers. Several commenters stated that the Department should 
specifically regulate data security, as HHS does in the Health 
Insurance Portability and Accountability Act of 1996 Security Rule, 45 
CFR 164.306 et seq.
    Discussion: The Department does not believe it is appropriate to 
regulate specific data security requirements under FERPA. The 
Department believes it is more appropriate to allow for flexibility 
based on individual circumstances. In addition, rapid changes in 
technology may potentially make any regulations related to data 
security quickly obsolete. With the increasing move toward mobile 
computing, evolving hacking techniques, and the push toward ever 
stronger encryption standards, we believe that it is inadvisable to 
establish specific regulations in this area.
    Still, the Department recognizes the important need, especially 
with the development of SLDS, for authorized representatives to have 
strong data security policies and programs in place. Data security is 
also an essential part of complying with FERPA as violations of the law 
can occur due to weak or nonexistent data security protocols. As such, 
the Department is adding the following to its best practices, which are 
included as Appendix A to this document:
     Verify the existence of a sound data security plan.
    The FERPA-permitted entity may wish to verify before disclosing PII 
from education records that its authorized representative has a sound 
data security program, one that protects both data at rest and data in 
transmission. A FERPA-permitted entity has a responsibility to 
determine if its authorized representative's data security plan is 
adequate to prevent FERPA violations. The steps that the disclosing 
entity may need to take in order to verify a sound data security 
program are likely to vary with each situation. In some cases, it may 
suffice to add language to the written agreement that states what data 
security measures are required. In other cases, it may be more prudent 
for the FERPA-permitted entity to take a hands-on approach and complete 
a physical inspection. Additionally, the FERPA-permitted entity's 
written agreements could specify required data security elements, 
including requirements related to encryption, where the data can be 
hosted, transmission methodologies, and provisions to prevent 
unauthorized access.
    Changes: None.
    Comment: Some commenters suggested that the Department mandate that 
FERPA-permitted entities require their authorized representatives to 
implement various practices that fall under the rubric of data 
governance. Several commenters suggested the addition of various staff 
positions as part of a proper data governance strategy. One commenter 
suggested that the Department require LEAs to appoint formal FERPA 
compliance liaisons who would develop FERPA policies and procedures and 
provide professional development to those at the LEA who handle PII 
from education records. Another commenter suggested that the FERPA-
permitted entity require the authorized representative to create an 
information security office. One commenter recommended, that as data 
governance is ultimately the responsibility of everyone in an 
organization, that the FERPA-permitted entity should require its 
authorized representative to adopt a formal governance plan that 
includes all levels of stakeholders, such as management, the policy 
team, data providers, and data consumers. The same commenter 
recommended that the Department require FERPA-permitted entities to 
have a formal communications plan so expectations regarding the 
governance plan are known to everyone.
    Discussion: The Department declines to regulate specific data 
governance requirements, as we prefer to grant FERPA-permitted entities 
the flexibility to determine the appropriate elements for their 
authorized representatives to include in a comprehensive governance 
plan. The Department is adding the following element to the best 
practices for reasonable methods in Appendix A:
    Verify the existence of a data stewardship program. The FERPA-
permitted entity may want to examine its authorized representative's 
data stewardship program. Data stewardship should involve internal 
control procedures that protect PII from education records and include 
all aspects of data collection--from planning to maintenance to use and 
dissemination. The Department believes that a good data stewardship 
plan would have support and participation from across the organization, 
including the head of the organization, management, legal counsel, and 
data administrators, providers, and users. The plan should detail the 
organization's policies and procedures to protect privacy and data 
security, including the ongoing management of data collection, 
processing, storage, maintenance, use, and destruction. The plan could 
also include designating an individual to oversee the privacy and 
security of the PII from the education records it maintains.
    As with data security, it is up to the FERPA-permitted entities to 
determine if the authorized representative's data stewardship plan is 
sufficient. Depending on the circumstances of the disclosure, this may 
include simply adding a description of the data governance plan to the 
written agreement or conducting an on-site inspection to ensure the 
authorized representative is properly implementing its plan.
    Changes: None.
    Comment: Multiple commenters suggested ways that reasonable methods 
could be used to prevent the authorized representative from improperly 
redisclosing PII from education records. Some commenters expressed 
concern that there is no bright line rule for how long PII from 
education records could be maintained by an authorized representative 
before it was required to be destroyed or returned. One commenter 
suggested a period of five years should be mandated as the maximum time 
PII from education records could be kept. Others expressed the view 
that exact timelines for keeping data were not warranted. Some 
requested that the Department clarify how PII from education records 
can be retained for purposes of long-term analysis.
    Several commenters asked the Department to require a formal process 
to document the destruction or return of the disclosed PII from 
education records, such as a notarized letter, to ensure that both the 
disclosing FERPA-permitted entity and the authorized representative are 
upholding their responsibilities. Some commenters argued that this type 
of process would be ideal as it is often too difficult for the 
disclosing FERPA-permitted entity to verify that PII from education 
records has in fact been fully destroyed, and that the authorized 
representative did not maintain some electronic copy of the PII. If 
such a notarized statement were required, one commenter then asserted 
that the FERPA-permitted entity making the disclosure be held harmless 
if its authorized representative nonetheless maintained a copy of the 
data. Others stated that there should be more flexibility, such as 
permitting the storage of PII from education records in

[[Page 75623]]

secure archives as opposed to fully returning or destroying it.
    The Department also received comments suggesting that we limit the 
number or nature of data elements in PII from education records that 
can be disclosed or included in an SLDS, including how that data could 
potentially be linked to other information. The Department received 
comments stating that FERPA-permitted entities should be given the 
right to review any document being published by the authorized 
representative that uses the disclosed PII from education records to 
ensure that proper disclosure avoidance techniques were used to prevent 
an unauthorized disclosure. Finally, several commenters requested that 
reasonable methods include a provision that would allow the disclosing 
FERPA-permitted entity access to the authorized representative's 
policies, procedures, and systems to conduct monitoring and audit 
activities to ensure the authorized representative is taking all 
necessary steps to protect the PII from education records. Some 
commenters stated that these audits should be completed by independent 
third parties. Other commenters requested that the results of the 
audits be disclosed to the public.
    Discussion: The Department believes that outlining the time period 
that an authorized representative can maintain data for the purpose of 
an audit, evaluation, or enforcement or compliance activity is 
extremely important, which is why it is one of the minimum required 
components of the written agreement (see Sec.  99.35(a)(3)(iv)). 
Nonetheless, the Department declines to specify a set period of time in 
the regulations for data retention, as the necessary amount of 
retention time is highly fact specific. For example, if an SEA is 
disclosing PII from education records to an authorized representative 
for an evaluation that is expected to take six months, it may be, 
depending on the circumstances of the evaluation, reasonable to require 
that the authorized representative to destroy the disclosed PII in six 
months. If, however, an SEA is disclosing PII from education records to 
a regional entity for a longitudinal, multi-year evaluation, the 
written agreement might specify that data retention would be reviewed 
annually, with data elements being retained or destroyed as 
appropriate. The Department believes it is important to leave the 
determination of the appropriate time period up to the parties to the 
agreement.
    The comments about methods for destruction do, however, point out a 
potential inconsistency in the NPRM that should be corrected. The NPRM 
provided that in some instances data must be destroyed when no longer 
needed, and that the data must be returned or destroyed in other 
instances. We believe the reference to returning data was more 
appropriate in a paper-based environment, and that destroying data is 
the more appropriate action when discussing electronic records. An 
entity could elect to destroy the data in question by returning the 
original file and erasing all versions of the data from its servers.
    Accordingly, we have decided to remove the proposed requirements in 
Sec.  99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized 
representative to return PII from education records to the FERPA-
permitted entity, in lieu of destroying such information, in order to 
correct the inconsistency.
    While the Department is not regulating on this particular process, 
when assessing responsibility, if the Department finds that PII from 
education records has not been appropriately destroyed by an authorized 
representative, the Department would review all of the reasonable 
methods taken by the disclosing FERPA-permitted entity, such as if the 
written agreement included a formal process to verify the destruction 
of PII from education records.
    The Department is not addressing through the FERPA regulations the 
number or nature of elements that can be disclosed, included in an 
SLDS, or linked to other elements. As stated earlier, FERPA is not a 
data collection statute, and it is beyond the scope of the statute to 
address these issues in these regulations. So long as all requirements 
of FERPA are met, the parties to the agreement have the flexibility to 
determine what elements should be disclosed and how they can be 
combined with other elements. Still, the FERPA regulations require that 
PII from education records may not be used for any purpose other than 
the audit, evaluation, or enforcement or compliance activity that 
prompted the original disclosure.
    It is important that the authorized representative not purposely or 
inadvertently redisclose PII from education records inappropriately. 
For example, the written agreement could reflect the expectations that 
the FERPA-permitted entities have of the authorized representatives 
when it comes to making the data public. Methods, such as using 
disclosure avoidance techniques or exercising the right to review and 
approve any reports using the data before release, can be detailed in 
the written agreement to help ensure that unauthorized redisclosures do 
not happen.
    In addition, the FERPA-permitted entities might wish to maintain 
the right to conduct monitoring and audits of the authorized 
representative's processes, procedures, and systems. If the FERPA-
permitted entities decide to exercise this right, they should be free 
to choose who should conduct the audits or monitoring activities, 
whether it is themselves or an external third party, and if the results 
should be made public. The Department declines to regulate on this 
issue as we do not believe that it will always be necessary to conduct 
such audits or monitoring activities. The parties to the data 
disclosure agreement can determine if such activity is warranted based 
on criteria, such as the scope or duration of the audit, evaluation, or 
enforcement or compliance activity.
    Based on the discussion in this section, we are including the 
following elements in Appendix A as best practices for FERPA-permitted 
entities to consider when implementing reasonable methods.
     Convey the limitations on the data. A FERPA-permitted 
entity should take steps to ensure that its authorized representative 
knows the limitations on the use of the data (i.e., that the data is 
only to carry out the audit or evaluation of Federal- or State-
supported education programs, or to enforce or to comply with Federal 
legal requirements that relate to those programs).
     Obtain assurances against redisclosure. A FERPA-permitted 
entity should obtain assurances from its authorized representative that 
the data will not be redisclosed without permission, including such 
assurances that the authorized representative will provide the FERPA-
permitted entity (the disclosing entity) the right to review any data 
prior to publication and to verify proper disclosure avoidance 
techniques have been used.
     Be clear about destruction. A FERPA-permitted entity 
should set clear expectations so its authorized representative knows 
what process needs to be followed for the proper destruction of PII 
from education records.
     Maintain a right to audit. A FERPA-permitted entity should 
maintain the right to conduct audits or other monitoring activities of 
the authorized representative's policies, procedures, and systems.
     Disclose only PII from education records that is needed. 
When the FERPA-permitted entity considers disclosing PII from education 
records to an authorized representative for an

[[Page 75624]]

audit, evaluation, or enforcement or compliance activity, it may want 
to explore which specific data elements are necessary for that activity 
and provide only those elements. FERPA-permitted entities should take 
care to ensure that they are not disclosing more PII from education 
records than needed for the stated activity and purpose. FERPA-
permitted entities should also explore whether PII from education 
records is actually required, or whether de-identified data would 
suffice.
    Changes: The Department has removed the proposed requirement in 
Sec.  99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized 
representative to return PII from education records to the FERPA-
permitted entity, in lieu of destroying such information, in order to 
be more consistent with the statute and to correct an inconsistency in 
the NPRM.

Written Agreements (Sec.  99.35(a)(3))

    Comment: As with reasonable methods, the Department received mixed 
comments on the value of the proposed written agreement requirement and 
suggestions for how to improve it. One commenter, while approving of 
the written agreement provision, expressed concern that the proposed 
changes would relieve data recipients of responsibility for actually 
implementing protections, theorizing that the agreements would require 
only that ``policies and procedures'' be established, rather than the 
inclusion of any provisions providing true accountability. Other 
commenters requested that the Department provide the flexibility to 
FERPA-permitted entities to draft agreements that meet the needs and 
requirements of the circumstances of the data disclosures and the 
requirements of the relevant State and local laws. One requester asked 
the Department to add the phrase ``including but not limited to'' when 
referring to the specific requirements of written agreements as laid 
out in the NPRM. Several commenters requested further guidance on 
written agreements, including asking the Department to provide a model 
template. One commenter asked the Department to provide clarity around 
why the ``other than an employee'' language is included in the written 
agreement requirement. Another commenter requested that the Department 
replace the term ``written agreement'' with ``data exchange agreement'' 
because the commenter believed the ``written agreement'' term is too 
vague and ``data exchange agreement'' is the standard information 
security term.
    Discussion: The Department proposed adding a new Sec.  99.35(a)(3) 
to require written agreements when FERPA-permitted entities designate 
an authorized representative (other than an employee) under the audit 
or evaluation exception. The proposal included several specific 
provisions that must be included in written agreements: (1) Designate 
the individual or entity as an authorized representative; (2) specify 
the information to be disclosed and that the purpose for which the 
information is disclosed to the authorized representative is to carry 
out an audit or evaluation of Federal- or State-supported education 
programs, or to enforce or to comply with Federal legal requirements 
that relate to those programs; (3) require the authorized 
representative to destroy or return to the State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
personally identifiable information from education records when the 
information is no longer needed for the purpose specified; (4) specify 
the time period in which the information must be returned or destroyed; 
and (5) establish policies and procedures consistent with FERPA and 
other Federal and State confidentiality and privacy provisions to 
protect personally identifiable information from education records from 
further disclosure (except back to the disclosing entity) and 
unauthorized use, including limiting use of personally identifiable 
information to only authorized representatives with legitimate 
interests.
    While the Department agrees that it is vital that written 
agreements clearly set forth all parties' obligations with respect to 
PII from education records, the Department believes that it would be 
inappropriate to be more prescriptive than the specific safeguards and 
provisions we are including in these regulations. The Department 
believes that it is more appropriate to provide the parties to the 
agreements with the flexibility to draft written agreements that meet 
the specific needs of the circumstances surrounding the data 
disclosure. In addition, the Department defers to State law governing 
contracts and written agreements, including the imposition of allowable 
sanctions.
    While the Department declines to impose additional requirements for 
written agreements, the Department is including in Appendix A a summary 
of best practices for written agreements. In the following discussion, 
we address comments and suggestions the Department received and whether 
the Department considers these best practices. Appendix A also includes 
best practices that have not been mentioned in the comments, but the 
adoption of which the Department believes would result in increased 
accountability for all parties to the agreement. At this time the 
Department is not providing a model template for a written agreement 
but intends to issue one as additional non-regulatory guidance at a 
later date. It is also worth noting that the studies exception has had 
a requirement for written agreements since 2008. The matters discussed 
here logically apply to PII from education records disclosed under both 
the studies and audit or evaluation exceptions. It is only through the 
use of written agreements that parties can establish legally binding 
roles and responsibilities.
    We specifically carve out employees from the written agreement 
requirements reflected in Sec.  99.35(a)(3) because the Department is 
not requiring written agreements when FERPA-permitted entities use 
their own employees to conduct audits, evaluations, or compliance or 
enforcement activities. Agreements under the audit or evaluation 
exception are only necessary when an authorized representative is 
selected that is outside of the organization disclosing the data. 
Employees have an inherently different relationship with their 
employing organization than does an outside entity. It is important 
that any organization with access to PII from education records train 
its employees about their responsibilities under FERPA, including 
proper data governance and data security procedures. We would expect, 
therefore, that organizations would establish conditions of employment 
for their employees that are consistent with the components required of 
written agreements under Sec.  99.35(a)(3) and that violations of those 
conditions would result in disciplinary actions, up to and including 
termination.
    The Department declines to add the suggested ``including but not 
limited to'' language when referring to the minimum written agreement 
provisions specified in the regulations. The language in the final 
regulations, as proposed in the NPRM, reads that the written agreement 
must include these provisions but does not indicate that these are the 
only provisions that can be included in the written agreement. As such, 
the Department believes that the ``including but not limited to'' 
language is implied and therefore unnecessary.
    Likewise, the Department declines to change the term ``written 
agreement'' to ``data exchange agreement.'' ``Written agreement'' is a 
general term that would include the more specific ``data

[[Page 75625]]

exchange agreement.'' The Department is leaving it up to the discretion 
of the parties to the agreement to decide how the agreement may be 
termed, whether that be written agreement, contract, memorandum of 
understanding, data exchange agreement, or some other term.
    Changes: None.
    Comment: Several commenters seemed to misinterpret one of the 
Department's proposed required components of the written agreement: 
``Specify the information to be disclosed and that the purpose for 
which the information is disclosed to the authorized representative is 
to carry out an audit or evaluation of Federal or State supported 
education programs, or to enforce or to comply with Federal legal 
requirements that relate to those programs.'' These commenters stated 
that the Department was requiring the written agreement to include 
``the purposes for which the information is being disclosed.'' Others 
noted that anytime PII from education records is shared through one of 
the exceptions to the general consent rule under FERPA, the specific 
reasons for that disclosure should be clearly stated.
    Discussion: The Department originally only proposed that a written 
agreement include a statement that the purpose of the disclosure was 
for an audit, evaluation, or enforcement or compliance activity. The 
NPRM did not include a requirement to describe the details of the 
activity or why PII from education records was a necessary component to 
the activity. Based on the comments we received, the Department is 
revising the regulations to require that written agreements include a 
description of the audit, evaluation, or enforcement or compliance 
activity.
    Changes: Section 99.35(a)(3)(ii)(C) is added to require that the 
written agreement include a description of the activity with sufficient 
specificity to make clear that the work falls within the exception of 
Sec.  99.31(a)(3), including a description of how the personally 
identifiable information from education records will be used.
    Comment: Several commenters suggested that FERPA-permitted entities 
should be required to provide information about PII from education 
records being disclosed, such as the data elements being shared and the 
purpose of the disclosure, to parents and other stakeholders. Use of a 
Web site for this purpose was specifically recommended, particularly 
for posting the information on the minimum provisions required for 
written agreements. One commenter noted that it was important for the 
written agreements to be made available in order for the public to 
provide oversight regarding the appropriateness of the data 
disclosures.
    Discussion: The Department concurs that transparency is important 
to ensuring the accountability of all parties. While we decline to 
issue regulations requiring it, we suggest that FERPA-permitted 
entities post substantive information on their Web sites or in other 
public locations about the disclosure of PII from education records, 
including the written agreements governing data disclosures and 
information about specific projects and uses. As such, we have added 
the following to Appendix A as a best practice:
     Inform the public about written agreements. Transparency 
is a best practice. The FERPA-permitted entity might want to post its 
data sharing agreements on its Web site, or provide some equivalent 
method to let interested parties know what data it is sharing, the 
reasons it is being disclosed, and how it is being protected. While the 
Department generally recommends public posting of written agreements, 
parties are encouraged to review their contractual data security 
provisions carefully and redact, prior to publication, any provisions 
that may aid those seeking unauthorized access to systems. In certain 
instances a separate confidential IT Security Plan may be appropriate.
    Changes: None.
    Comment: The Department received multiple suggestions on ways to 
increase the legal protections offered by the written agreements. 
Several commenters requested that the Department explicitly require 
that the written agreements comply with all applicable laws, whether at 
the Federal, State, or local level. One commenter specifically 
mentioned ensuring compliance with State data security laws and 
policies. Several commenters requested the inclusion of provisions that 
would ensure that Institutional Review Board (IRB) protocols are in 
place and properly implemented. Another commenter requested that the 
Department require the written agreement to include a provision 
specifying the legal authority for the data disclosure in order to 
ensure that anyone disclosing or receiving PII from education records 
has the authority to do so. Finally, the Department received many 
comments stating that increased accountability over authorized 
representatives could be achieved if the Department required that 
written agreements have the force of a contract under applicable State 
law. Specifically, these commenters strongly urged the Department to 
mandate, as a condition of data disclosure, that the written agreements 
include contractual safeguards such as liquidated damage provisions for 
breach of the agreement and third party beneficiary status for 
individuals whose PII from education records is disclosed.
    Discussion: The Department agrees with many of the suggestions 
included in these comments; however, we decline to incorporate them as 
regulatory requirements. Rather, many suggestions have been included as 
best practices for written agreements in order to provide FERPA-
permitted entities with the flexibility to craft provisions in the 
written agreements that meet their specific needs and the circumstances 
of the data disclosures. The Department agrees that the written 
agreements must comply with all applicable laws at the Federal, State, 
and local levels. This would include any State data security laws. The 
Department cannot regulate through FERPA on whether IRB review and 
approval is necessary or prudent. On the other hand, if the 
circumstances surrounding the audit, evaluation, or enforcement or 
compliance activity dictate that IRB involvement is required, it would 
be a best practice for the written agreement to reflect that. It should 
be noted, however, that the amendments are not intended to supersede 
the research regulations under the Common Rule that apply to Federally 
funded research of educational data that qualifies as human subject 
research. This includes the requirement that the researcher receive a 
waiver from an IRB if they intend to conduct research with identifiable 
information without consent of the participants.
    The Department also agrees that it is sensible to list the express 
or implied legal authority that permits the data disclosure and the 
audit, evaluation, or enforcement or compliance activity. As stated 
elsewhere in this document, FERPA itself does not grant the authority 
for these activities, and the existence of this authority is generally 
a matter of other Federal, State, and local laws.
    In general, the Department agrees with the view that written 
agreements should be used, to the extent permissible under applicable 
State law, to ensure that authorized representatives (other than 
employees) comply with FERPA to the greatest extent practicable. While 
the Department believes that there is merit in having written 
agreements that clearly set forth all parties' obligations with respect 
to FERPA-protected information, the Department believes

[[Page 75626]]

that it would be inappropriate to require that the parties include 
specific contractual safeguards. The fact that the authority to enforce 
FERPA lies with the Department should not be taken to abrogate the 
responsibility that FERPA-permitted entities have to protect PII from 
education records. FERPA-permitted entities that are disclosing PII 
from education records to authorized representatives (other than 
employees) are encouraged to provide for sanctions in their written 
agreements, and to enforce those sanctions. The Department believes 
that it is appropriate to defer to applicable State laws governing 
contracts and written agreements for purposes of safeguarding FERPA-
protected information.
    Based on these suggestions, the following is being added to the 
best practices listed in Appendix A:
     Identify and comply with all legal requirements. It is 
important to remember that FERPA may not be the only law that governs a 
data sharing agreement. The agreement could broadly require compliance 
with all applicable Federal, State, and local laws and regulations, and 
identify the legal authority (whether express or implied) that permits 
the audit, evaluation, or enforcement or compliance activity.
     Mention Institutional Review Board (IRB) review and 
approval. While FERPA does not mention IRBs, research proposals 
involving human subjects may have to be reviewed and approved by IRBs, 
if required under protection of human subject regulations of the 
Department and other Federal agencies. If IRB review and approval is 
required or expected, this may be noted in the written agreement.
     Identify penalties. The agreement could include penalties 
under State contract law such as liquidated damages, data bans of 
varying length, and any other penalties the parties to the agreement 
deem appropriate. The FERPA-permitted entity may want its agreement to 
create third-party beneficiary rights, e.g., allowing parties injured 
by a data breach to sue for damages. While FERPA itself has little 
flexibility for sanctions, the FERPA-permitted entity can include a 
wide range of appropriate sanctions in its written agreements.
    Changes: None.
    Comment: Several commenters suggested that because the disclosure 
of PII from education records may create serious risks such as identify 
theft, the proposed regulations should require timely notification to 
parents and eligible students when their data has been disclosed as a 
result of a data security breach. Commenters also suggested that the 
written agreement include provisions for the handling of the breach, 
such as who would bear the costs associated with notifying those 
affected.
    Discussion: The Department takes seriously the suggestion that 
parents and eligible students should be notified when PII from 
education records has been disclosed in violation of FERPA and agrees 
that notice should be given when there is a data security breach. 
However, the Department declines to impose through the FERPA 
regulations specific requirements for breach notification. This will 
allow FERPA-permitted entities the requisite flexibility to ascertain 
the appropriate responses and approaches to their particular situations 
and to comply with any existing Federal, State, or local laws or 
regulations governing breach notification.
    Good data governance also includes breach notification; every 
organization responsible for managing education records that contain 
PII should maintain a breach response plan. These plans should provide 
specific guidelines for an appropriate and timely response to a breach, 
including a clear description of what constitutes a breach, and a 
description of the immediate steps to be taken in the event that a 
breach is suspected. In particular, there should be a designated person 
in the management chain who will be notified in the event of actual or 
suspected breaches. When a breach occurs, the designated authority 
should conduct an analysis of the likelihood of exposure and potential 
harm to affected individuals. This analysis will inform whether 
notification is warranted and what its content may be. There should 
also be an analysis of the circumstances that resulted in the breach, 
so that the system or procedures can be modified as quickly as possible 
to avoid further breaches through the same mechanism.
    Although the Department is not regulating on breach notification, 
the following is being added to the best practices listed in Appendix 
A:
     Have plans to handle a data breach. While no one 
anticipates a data breach, data loss may occur. The FERPA-permitted 
entity may wish to include specific procedures in its written 
agreements detailing the parties' expectations in the event that PII 
from education records is lost, including specifying the parties' 
responsibilities with regard to breach response and notification and 
financial responsibility.
    Changes: None.
    Comment: The Department received requests to clarify to whom 
breaches of written agreements should be reported.
    Discussion: As discussed earlier in this preamble, it is not only 
the FERPA regulations that govern what can be included in a written 
agreement. As such, it is important to address any remedies that are 
also available under State law. Nonetheless, a breach of the provisions 
in a written agreement may also constitute a violation of FERPA and 
should therefore be reported to FPCO.
    Changes: None.
    Comment: None.
    Discussion: The Department wishes to reduce the implementation 
burden of the new written agreement requirement in Sec.  99.35(a)(3) on 
FERPA-permitted entities by only requiring that new, renewed, or 
amended written agreements with authorized representatives that are 
entered into on or after the effective date of the regulations comply 
with the new requirement. The written agreement requirement in Sec.  
99.35(a)(3) must be adhered to for any new designation of an authorized 
representative that is not an employee as of the effective date of 
these regulations. As provided in the DATES section of the preamble, 
for written agreements that are in place with authorized 
representatives prior to the effective date of the regulations, FERPA-
permitted entities must comply with the written agreement requirements 
in Sec.  99.35(a)(3) when they renew or amend their agreements.
    Changes: None.

Protection of PII From Education Records By FERPA-Permitted Entities 
(Sec.  99.35(b)(1))

    Comment: None.
    Discussion: The Department wishes to make the language used to 
refer to FERPA-permitted entities in Sec.  99.35(b)(1) consistent with 
the language used to refer to FERPA-permitted entities in Sec. Sec.  
99.35(a)(2) and (a)(3).
    Changes: We have revised Sec.  99.35(b)(1) so that it uses the 
term, ``State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3),'' which is used in Sec. Sec.  
99.35(a)(2) and (a)(3).

Disclosures to Organizations Conducting Studies (Sec.  99.31(a)(6))

    Comment: A few commenters suggested that FERPA's ``for, or on 
behalf of'' requirement in the studies exception contains a significant 
limitation. Specifically, these commenters suggested that the exception 
prohibits FERPA-permitted entities, such as an SEA, from redisclosing 
PII from education records that they received under one of FERPA's 
exceptions to the general consent rule,

[[Page 75627]]

for, or on behalf of, the original disclosing educational agency or 
institution, such as an LEA, if the original agency or institution 
objected to the disclosure. Another commenter asked that we further 
amend Sec.  99.31(a)(6) to permit disclosures to organizations 
conducting studies for, on behalf of, or in partnership with, or in the 
interest of, educational agencies or institutions, as determined by 
those agencies or institutions.
    Discussion: We disagree that the phrase ``for, or on behalf of'' 
prohibits a disclosure to which the original disclosing educational 
agency or institution objects. Historically, the Department has viewed 
the ``for, or on behalf of'' requirement as being based on the unstated 
premise that some form of agreement by the original disclosing 
educational agency or institution, such as an LEA or postsecondary 
institution, was a necessary prerequisite for these types of 
disclosure. However, it has become necessary for the Department to 
consider whether its interpretation concerning the ``for, or on behalf 
of'' language was fully consistent with recently enacted laws.
    We have concluded that ``for, or on behalf of'' does not require 
the assent of or express approval by the original disclosing 
educational agency or institution. For example, it is not necessary for 
an SEA to secure the approval of an LEA prior to making disclosures 
for, or on behalf of the LEA, so long as the SEA is acting with express 
or implied legal authority and for the benefit of the LEA.
    The changes to Sec.  99.31(a)(6)(ii) are necessary to clarify that 
while FERPA does not confer legal authority on FERPA-permitted entities 
to enter into agreements and act as representatives of LEAs or 
postsecondary institutions, nothing in FERPA prevents them from 
entering into agreements and redisclosing PII from education records 
related to studies conducted on behalf of LEAs or postsecondary 
institutions under Sec.  99.31(a)(6), provided that the redisclosure 
requirements in Sec.  99.33(b) are met. Permissive disclosures of this 
type may be made notwithstanding the objection of the LEA or 
postsecondary institution so long as the disclosing FERPA-permitted 
entity has independent authority to have the study conducted, whether 
expressly stated or implied, and makes the disclosure on behalf of the 
LEA or postsecondary institution.
    We anticipate that the majority of redisclosures made by FERPA-
permitted entities will be made for, or with the approval of, the 
original disclosing educational agency or institution. Nevertheless, we 
can reasonably foresee instances in which these FERPA-permitted 
entities would make redisclosures on behalf of an LEA or postsecondary 
institution without obtaining its approval.
    For instance, an SEA must have the authority to enter into 
agreements with researchers to conduct studies to improve instruction 
across LEAs within its own State. Studies such as these can help States 
save money and improve student outcomes by identifying effective 
practices and targeting limited resources accordingly, while 
simultaneously increasing the transparency of taxpayer investments. 
Therefore, in order to provide greater flexibility to FERPA-permitted 
entities, we interpret the phrase ``for, or on behalf of'' to recognize 
both disclosures for the LEA or postsecondary institution that are made 
with the approval of the LEA or postsecondary institution and 
disclosures made on behalf of the LEA or postsecondary institution that 
are made for their benefit in the absence of their approval.
    This approach ensures that FERPA-permitted entities have the 
necessary latitude to fulfill their statutory and regulatory mandates. 
They may conduct studies of publicly funded education programs while 
still ensuring that any PII from education records is appropriately 
protected. FERPA permits disclosure without consent to an organization 
conducting a study ``for, or on behalf of, educational agencies or 
institutions'' for statutorily enumerated purposes. 20 U.S.C. 
1232g(b)(1)(F). We see no need to deviate from the statutory language 
in the regulations and agree that Sec.  99.31(a)(6) permits disclosure 
without consent to organizations conducting studies in partnership with 
educational agencies or institutions, in which case we would view the 
study as being ``for'' the educational agencies or institutions. 
Similarly, as explained earlier in this discussion, we also view Sec.  
99.31(a)(6) as permitting disclosure without consent to organizations 
conducting studies for the benefit of educational agencies or 
institutions, in which case we would consider the study to be ``on 
behalf of'' educational agencies or institutions.
    However, we disagree with the contention that only an educational 
agency or institution may make the determination regarding whether a 
study is for or on its behalf. Rather, FERPA-permitted entities may 
also make the determination that a study is for the benefit of the 
original disclosing educational agency or institution. For example, an 
SEA may conduct a study that compares program outcomes across its LEAs 
to further assess what programs provide the best instruction and then 
duplicate those results in other LEAs.
    Changes: None.
    Comment: None.
    Discussion: Upon further review, we decided to remove the proposed 
requirement in Sec.  99.31(a)(6)(iii)(C)(4) and the requirement in 
Sec.  99.31(a)(6)(ii)(C)(4) of the current regulations that permitted 
an organization conducting a study to return PII from education records 
to the FERPA-permitted entity, in lieu of destroying such information. 
We made these changes so that the regulations are more consistent with 
the statute, which requires the destruction of such information, and to 
correct an inconsistency in the current and proposed regulations, which 
required both the destruction of such information and the return or 
destruction of such information. While returning the information to the 
originating entity can be a form of destruction so long as the 
organization conducting the study also properly erases all PII from 
education records that is maintained in electronic format, returning 
the information would be insufficient if the PII from education records 
is continued to be maintained in electronic format by the organization 
conducting the study.
    Changes: We have removed the proposed requirement in Sec.  
99.31(a)(6)(iii)(C)(4) and the requirement in Sec.  
99.31(a)(6)(ii)(C)(4) of the current regulations that permitted an 
organization conducting a study to return PII from education records, 
in lieu of destroying such information, in order to be more consistent 
with the statute and to correct an inconsistency in the current and 
proposed regulations.

Directory Information (Sec. Sec.  99.3 and 99.37)

Definition of Directory Information (Sec.  99.3)

    Comment: One commenter supported the proposed change to the 
definition of ``directory information,'' which clarifies that an 
educational agency or institution may designate and disclose as 
directory information a student's ID number, or other unique personal 
identifier that is displayed on a student's ID card or badge, if the 
identifier cannot be used to gain access to education records, except 
when used in conjunction with one or more factors that authenticate the 
student's identity. We also received numerous comments from a variety 
of parties that expressed support for this change.
    One commenter suggested that we remove from the definition of 
``directory

[[Page 75628]]

information'' the items ``address,'' ``telephone listing,'' and ``date 
and place of birth,'' noting that the availability of directory 
information jeopardizes students' right to privacy and makes identity 
theft easier. Another commenter raised a number of concerns about how 
directory information might affect a student who is homeless and 
recommended that a student's address not be included in the definition 
of ``directory information'' for a student who meets the definition of 
``homeless child or youth'' under the McKinney-Vento Homeless 
Assistance Act. For a number of reasons, the commenter stated that 
disclosing a homeless student's address would be harmful or an invasion 
of privacy. A few commenters raised concerns about what they mistakenly 
thought was an expansion of the definition of ``directory information'' 
by including any student ID number, user ID, or other unique personal 
identifier used by a student for purposes of accessing or communicating 
in electronic systems.
    Discussion: We appreciate the support that we received from those 
parties who agreed with the clarification we proposed to the definition 
of ``directory information,'' and we regret any confusion caused by 
including the entire definition in the NPRM. As we explained in the 
preamble to the NPRM, we proposed to modify the definition of 
``directory information'' only to clarify that under Sec.  99.37(c)(2), 
an educational agency or institution may require students to wear or 
display ID badges or identity cards that display directory information, 
even if the parent or the eligible student opted out of directory 
information. The inclusion of a student ID number or other unique 
identifier in the definition of ``directory information'' is not new; 
we made this amendment in 2008. The NPRM merely proposed to establish 
that the student ID number or other unique identifier that we allowed 
to be designated as directory information in 2008 could also be 
displayed on a student ID card or badge.
    With regard to the concerns about including in the definition of 
``directory information'' such items as ``address,'' ``telephone 
listing,'' and ``date and place of birth,'' we note that these items 
have been in the FERPA statute since its enactment in 1974, and any 
change to remove these items would require congressional action. We 
include these and other items in the regulations, explaining in Sec.  
99.37 that an educational agency or institution may disclose directory 
information under certain conditions, including the condition that it 
notify parents and eligible students of the types of PII from education 
records it has designated as directory information. If a school has the 
administrative capacity, it may permit parents or eligible students to 
opt out of specific items it has designated. However, it has been our 
understanding that most schools do not have the administrative capacity 
to permit parents and eligible students to opt out of some, but not 
all, directory information. Because the disclosure of directory 
information is permissive, we have advised schools that they can employ 
an all-or-nothing approach to the disclosure of directory information. 
That is, a school may provide public notice of the items that it has 
designated as directory information and permit parents and eligible 
students to opt out of the disclosure of the items as a whole.
    With regard to the comment about not designating an address as 
``directory information'' for a student who is homeless, as explained 
elsewhere, FERPA provides schools with the authority to include or 
exclude any items within the definition of ``directory information.''
    The definition of ``directory information'' in FERPA is generally a 
guideline for schools to use in designating types of information as 
directory information. A school is not required to designate all of the 
types of information given as examples in FERPA as directory 
information. The decision to designate certain types of information as 
directory information, such as the student's address, is left to the 
discretion of the individual educational agency or institution.
    We share the concerns raised by commenters that certain directory 
information items may make identity theft easier in our modern 
information age. We encourage school officials to be cognizant of this 
fact and, if feasible, to work hand-in-hand with parents and eligible 
students in their community to develop a directory information policy 
that specifically meets their needs and addresses legitimate concerns.
    Changes: None.

Student ID Cards and ID Badges (Sec.  99.37)

    Comment: Several commenters expressed support for the proposed 
amendment in Sec.  99.37(c)(2), which provides that parents and 
eligible students may not use their right to opt out of directory 
information disclosures in order to prevent an educational agency or 
institution from requiring students to wear or otherwise disclose 
student ID cards or badges that display information that may be 
directory information. One commenter noted that schools can embed 
student ID numbers in bar codes or magnetic stripes, as needed, to 
avoid any privacy conflicts. A student stated that a university should 
be able to require that students wear ID badges on campus in order to 
better protect students.
    Another commenter recommended that we specify which directory 
information can be displayed on a student ID card or badge. Some 
commenters asked if there would be any situations in which a student 
might be exempted from wearing an ID badge, such as where a student is 
the victim of stalking at a large postsecondary institution. Another 
commenter expressed concern that including a student ID number as 
directory information would have a negative effect on students 
receiving services under the Individuals with Disabilities Education 
Act (IDEA) and raised concerns about physical safety and protection 
from identity theft. The commenter suggested that a student ID number 
or other unique identifier that may be displayed on a student ID card 
and is designated as directory information should not be used--even in 
conjunction with one or more factors that authenticate the user's 
identity--to gain access to education records. The same commenter 
supported permitting a school to require a student to wear or publicly 
display a student ID card or badge that exhibits directory information, 
as long as the student ID number cannot be used to gain access to 
education records.
    A commenter also suggested that we amend this provision to include 
other activities for which parents and eligible students cannot opt 
out, such as participation in education activities that require sign-in 
access to electronic systems. Specifically, the commenter requested 
that we add a new requirement stating that a parent or eligible student 
could not opt out of directory information disclosures to prevent an 
educational agency or institution from disclosing or requiring a 
student to disclose the student's name, identifier, or institutional 
email address in a class in which the student is enrolled. This would 
include access to instruction, curriculum, courses, or other 
administrative functions provided online. The commenter stated that the 
increased use of electronic systems for both instructional and 
administrative activities dictates that the Secretary not differentiate 
between these types of activities in which students may opt out. The 
commenter asked for these changes to ensure that students are not 
allowed to opt out of participation in various classroom or other 
instructional activities simply because they have to

[[Page 75629]]

sign on to an electronic system. Another commenter asked that we not 
permit the student's picture to be on the student ID. This commenter 
also expressed support for permitting parents and eligible students to 
have the right to opt out of wearing a student ID badge.
    Discussion: We appreciate the support we received concerning this 
proposed change. With regard to the comment that we specify the 
directory information that can or cannot be displayed on an ID card or 
badge (e.g., a student's picture), we do not believe this is 
appropriate or necessary. Rather, we believe that educational agencies 
and institutions should have the flexibility to make these 
determinations best suited to their particular situations. Similarly, 
we do not believe that we should require that information displayed on 
a student ID card or badge contain only information that cannot be used 
to gain access to education records. Student ID numbers, user IDs, and 
any other unique personal identifiers may only be included as directory 
information if they cannot be used to gain access to education records 
except when used in conjunction with one or more other factors that 
authenticate the user's identity.
    For the same reasons school administrators need the flexibility to 
determine what type of information is directory information, they need 
to have the flexibility to determine what directory information should 
be included on a student ID card or badge. Smaller schools may know 
their student population well enough that they may not need to have an 
ID number or other unique identifier, while larger LEAs, colleges, and 
universities may need to include more information. As one school 
official noted, educational agencies and institutions can embed student 
ID numbers in bar codes or magnetic stripes to address privacy 
concerns, including identity theft. This practice would also address 
the apprehension of some commenters that some students may have special 
reasons for not wearing ID badges, such as special education students, 
younger children, or students who are the victims of stalking. This 
amendment to FERPA permits, but does not require, schools to include 
directory information on student ID cards and badges or to require 
students to wear or display ID cards and badges.
    With regard to the request that we include other activities for 
which parents and student cannot opt out, such as activities that 
require sign-in access to electronic systems for instructional and 
administrative activities, we note that this is outside the scope of 
the NRPM and, therefore, do not believe it is appropriate to address in 
these final regulations.
    Additionally, in 2008, we expanded the definition of ``directory 
information'' in Sec.  99.3 of the FERPA regulations to include a 
student ID number, user ID, or other unique personal identifier used by 
the student for purposes of accessing or communication in electronic 
systems, if the identifier could not be used to gain access to 
education records, except when used in conjunction with one or more 
factors to authenticate the user's identity. Further, the 2008 
regulation changes clarified the definition of ``attendance'' to 
clarify that students who are not physically present in the classroom 
may attend an educational agency or institution via videoconference, 
satellite, Internet, or other electronic information and 
telecommunications technologies.
    In 2008, we also amended Sec.  99.37(c) to state that parents or 
eligible students may not use their right to opt out of directory 
information to prevent a school from disclosing, or requiring the 
disclosure of, a student's name, identifier, or institutional email 
address in a class in which the student is enrolled. 73 FR 74806 
(December 9, 2008). These three provisions are read together to permit 
directory information to be used to access online electronic systems 
and to prevent opt-out rights from being used to prevent an educational 
agency or institution from disclosing or requiring a student to 
disclose the student's name, identifier, or institutional email address 
in a class in which the student is attending, in either a traditional 
or non-traditional classroom setting.
    Changes: None.

Limited Directory Information Policy (Sec.  99.37(d))

    Comment: A number of commenters expressed support for the proposal 
clarifying that an educational agency or institution may have a limited 
directory information policy. One commenter stated that this 
clarification will provide educational agencies and institutions with 
more certainty and control in using directory information for their own 
purposes. A few commenters stated that it would be helpful if the 
regulations clarified that institutions can have different policies 
based on each specific type or subset of directory information, such as 
being able to institute a policy that only certain directory 
information may be disclosed to specific parties. Some pointed out that 
the proposed regulations did not specify whether a school could put 
into effect a policy that specifically limits who may not receive 
directory information. Two commenters recommended that the regulations 
explicitly state that directory information designated by a school may 
not be disclosed, except for the limited disclosure to specific 
parties, or for specific purposes, or both.
    One commenter supported the amendment to permit schools to have a 
limited directory information policy, believing this change would help 
ensure that school officials do not contact landlords, employers, or 
other third parties to discuss a child's housing situation. One 
commenter stated that he opposed any changes to the FERPA regulations 
that would restrict access to directory information. Another commenter 
said that adopting Sec.  99.37(d) as proposed would add confusion and 
may raise unnecessary allegations of improper disclosure of directory 
information from parents and eligible students. This commenter pointed 
out that there is no requirement in FERPA that a school adopt a 
directory information policy or disclose directory information even if 
it has a policy. One commenter expressed concern that the proposed 
changes to the definition of ``directory information'' do not 
adequately address the capacity of marketers and other commercial 
enterprises to obtain, use, and re-sell student information. The 
commenter stated that few parents are aware, for example, that anyone 
can request and receive a student directory from a school. The 
commenter also stated that States may take action, through legislation, 
to tighten restrictions on the use of directory information, perhaps 
restricting the disclosure of directory information for marketing 
purposes.
    A few commenters expressed concern that the proposal to permit 
schools to have a limited directory information policy would prevent 
the release of information about students to those who have a 
legitimate reason for obtaining the information, including the media. 
The commenters also expressed concern that withholding directory 
information could become a tool for schools to engage in retribution 
against disfavored media outlets, social or political causes, or 
parental activist groups. The commenters stated that the Secretary 
should give detailed guidance to educational agencies and institutions 
concerning this change in order to diminish any negative effect that 
such policies could have on the free flow of information to the public. 
These commenters stated that the effect of the regulatory changes will 
be that schools will decide not to disclose directory information to 
the media for any reason,

[[Page 75630]]

including publicity or investigations. One of these commenters said 
that it was not clear how recipients of directory information would be 
chosen, whether the specific parties would be selected by the 
institution or by each individual student. This commenter noted that a 
limited directory information policy might make it difficult for a 
party that was not included in the policy at the beginning of a year 
but that needed to do business with the school mid-year to have fair 
access to directory information.
    A commenter stated that the ability to disclose directory 
information for some purposes, but not others, might prove more useful 
to educational agencies and institutions that are not subject to a 
State open records law than to those that are. Educational agencies and 
institutions that are subject to open records laws would be required to 
disclose all directory information and would not benefit from a limited 
directory information policy. The commenter requested clarification 
whether the ability to limit directory information is optional and 
whether a failure to institute such a policy would subject the 
institution to enforcement proceedings by the Department. Similarly, 
another commenter asked for clarification as to whether a school that 
chose not to adopt a limited directory information policy may under the 
proposed regulations still limit the disclosure of directory 
information to whomever they want, and for whatever reason they want, 
even though State law may require disclosure.
    Finally, a few commenters pointed out that even under a limited 
directory information policy, it would not be a violation of FERPA for 
a party that received directory information to redisclose it. To 
address that issue, some of the commenters supported the idea of a non-
disclosure agreement so that the disclosing school could control any 
redisclosures of directory information. However, one commenter stated 
that our suggestion in the preamble to the NPRM that schools adopt a 
non-disclosure agreement is unrealistic; schools may have difficulty 
identifying who may redisclose the information, and schools have no 
authority and limited resources to enforce such agreements. This 
commenter also stated that making recipients sign such agreements could 
be a significant administrative burden for LEAs that receive many 
requests for directory information, even if they have adopted a limited 
directory information policy.
    Discussion: Under FERPA, educational agencies and institutions are 
only required to provide access to education records to parents and 
eligible students. All other disclosures listed in Sec.  99.31 are 
optional. This includes the disclosure of directory information under 
Sec.  99.31(a)(11), under the conditions specified in Sec.  99.37. 
However, some educational agencies and institutions have advised, and 
administrative experience has shown, that State open records laws have 
required disclosure of student directory information because, in most 
cases, FERPA does not specifically prohibit the disclosure of this 
information. It is our understanding that many, if not most, State open 
records or sunshine laws require that public entities, such as public 
schools, LEAs, and State colleges and universities, disclose 
information to the public unless the disclosure is specifically 
prohibited by another State law or by a Federal law such as FERPA. 
Thus, in practice, while FERPA only requires schools to disclose PII 
from education records to parents or eligible students, State sunshine 
laws may require the public release of properly designated directory 
information from which parents and eligible students have not opted 
out.
    With regard to the commenter who asked whether a school that 
chooses not to adopt a limited directory information policy could still 
limit the disclosure of directory information if its State law required 
the disclosure, FERPA permits the disclosure of directory information 
but it does not require it. Some States have State open records laws 
that may require the disclosure of directory information if a school 
has a directory information policy and the parent or eligible student 
has not opted out.
    We believe that the FERPA regulations will better assist 
educational agencies and institutions in protecting directory 
information if an educational agency or institution that adopts a 
limited directory information policy limits its directory information 
disclosures only to those parties and purposes that were specified in 
the policy. To clarify, this regulatory scheme gives each school the 
option of limiting its directory information disclosures and does not 
subject a school to enforcement proceedings by FPCO if the school 
elects not to limit disclosure to specific parties or for specific 
purposes, or both.
    With regard to the recommendations by commenters that the 
regulations explicitly state that directory information not be 
disclosed except to specific parties or for specific purposes, we do 
not believe this change is necessary. As noted, neither the disclosure 
of directory information nor the adoption of a limited directory 
information policy is required by the regulations. The regulations make 
clear that if a school chooses to adopt a limited directory information 
policy, then it must limit its directory information disclosures to 
those specified in its public notice.
    With regard to concerns expressed by commenters about directory 
information being released to entities for marketing purposes, a school 
has the flexibility to allow or restrict disclosure to any potential 
recipient. For example, a limited directory information policy may be 
expressed in a negative fashion, indicating that the school does not 
disclose directory information for marketing purposes. While Congress 
has not amended FERPA to specifically address disclosure of directory 
information to companies for marketing purposes, Congress amended 
section 445 of GEPA, commonly referred to as the Protection of Pupil 
Rights Amendment (PPRA) in 2001 to address this issue. Public Law 107-
110, Sec.  1061.
    Under PPRA, LEAs are required to work in consultation with parents 
to develop and adopt a policy governing the collection, disclosure, or 
use of personal information collected from students for the purpose of 
marketing or for selling that information (or otherwise providing that 
information to others for those purposes). The policy must include 
arrangements to protect student privacy in the event of such 
collection, disclosure, or use. LEAs are also required to notify 
parents of students of any activities that involve the collection, 
disclosure, or use of personal information collected from students for 
the purpose of marketing or selling that information (or otherwise 
providing that information to others for those purposes) so that 
parents may opt their child out of participation in those activities. 
20 U.S.C. 1232h(c)(1)(E) and (c)(2). While PPRA does not generally 
apply to postsecondary institutions, understanding and complying with 
its requirements for LEAs should address some of the commenters' 
concerns about this matter.
    With regard to the fact that we did not propose to amend the FERPA 
regulations to prevent third parties that receive directory information 
from further disclosing it, we do not believe that it is realistic to 
make such a change. By its nature, directory information is intended to 
be publicly shared. Congress included the disclosure of properly 
designated directory information as an exception to the general consent 
requirement in FERPA so that schools may make disclosures of the type 
of information generally not

[[Page 75631]]

considered harmful or an invasion of privacy, such as information on 
students that would normally be found in a school yearbook or 
directory. It is not administratively practicable to take action 
against a third party that rediscloses directory information. For 
example, it would be virtually impossible to control how student 
information contained in a yearbook is distributed to others. 
Therefore, we believe that schools are in the best position to 
determine who should receive directory information and, should they 
choose, implement a limited directory information policy.
    With regard to the commenter who stated that adopting the limited 
directory information provision in the regulations would add confusion 
and possibly raise unnecessary allegations of improper disclosure from 
parents and eligible students, we do not believe this is the case. On 
the contrary, the option to have a limited directory information policy 
should better protect against improper disclosures of PII from 
education records and reduce the number of complaints in this regard.
    With regard to our recommendation that schools adopting a limited 
directory information policy consider entering into non-disclosure 
agreements to restrict the information from being further disclosed, we 
agree that this will not always be feasible. Clearly there are 
situations in which a school could not have a non-disclosure agreement, 
such as when it publishes directory information in a school yearbook, a 
sports event program, or a program for a school play. Schools will have 
to exercise judgment with respect to whether to utilize non-disclosure 
agreements to prevent further disclosure of directory information by 
assessing the circumstances surrounding the disclosure of the directory 
information.
    Finally, we note that the regulatory change to allow educational 
agencies and institutions to implement a limited directory information 
policy was not specifically intended to address how schools interact 
with or disclose directory information to members of the media. Rather, 
we were addressing concerns raised by school officials who, alarmed 
about the increase in identity theft, expressed a need to protect the 
privacy of students' directory information. We encourage school 
officials to act responsibly in developing a limited directory 
information policy and to keep in mind routine disclosures that schools 
need to make in the normal course of business, including providing 
properly designated directory information to the media about various 
student activities and extracurricular pursuits of students.
    Changes: None.

General Enforcement Issue (Sec.  99.67)

    Comment: Several commenters stated that the Department lacks the 
legal authority to investigate, review, process, or enforce an alleged 
FERPA violation committed by recipients of Department funds under a 
program administered by the Secretary that students do not attend. 
These recipients include but are not limited to, SEAs, nonprofit 
organizations, student loan lenders, and guaranty agencies. 
Specifically, the commenters stated that nonprofit organizations, 
guaranty agencies, and lenders could not be considered educational 
agencies or institutions under FERPA because these organizations have 
no students in attendance. In addition, some commenters argued that as 
financial institutions, student loan lenders, servicers, and guaranty 
agencies are already subject to numerous Federal laws that require them 
to protect PII from education records, making them subject to FERPA 
would not effectively increase protection.
    Discussion: The Department disagrees with the comment that it does 
not have the legal authority to take enforcement actions against 
entities that receive Department funding under a program administered 
by the Secretary that students do not attend. Section (f) of FERPA 
provides that the Department shall take appropriate actions to enforce 
and deal with violations of provisions in FERPA in accordance with 
GEPA. 20 U.S.C. 1232g(f). However, as we discussed in the preamble to 
the NPRM (76 FR at 19733), the current regulations do not clearly 
describe the entities against which we may take actions under section 
(f) of FERPA. Accordingly, the Department believes that it is necessary 
to clarify in these new regulations that FPCO has the authority to hold 
these entities responsible for FERPA compliance, given the disclosures 
of PII from education records that are needed to implement SLDS. We 
believe this clarification is necessary in light of recent developments 
in the law.
    In addition, in order for the Department to appropriately 
investigate, process, and review complaints and alleged violations of 
FERPA, the Department proposed in Sec.  99.60(a)(2) to take a more 
expansive view of the term ``educational agency or institution.'' The 
expanded definition would include entities that do not necessarily have 
students in attendance but still receive Department funding under a 
program administered by the Secretary and which, nevertheless, are in 
possession and control of PII from education records.
    The Department continues to believe that it is necessary to use its 
broad enforcement powers to ensure that FERPA's protections apply to 
these recipients. The Department has decided, however, not to define in 
Sec.  99.60(a)(2) all recipients of Department funding under a program 
administered by the Secretary as ``educational agencies and 
institutions'' in the context of the enforcement provisions, as was 
reflected in proposed Sec.  99.60(a)(2), because it is evident from the 
comments that the terminology is confusing. We have decided instead to 
revise Sec. Sec.  99.61 through 99.67, which set out FERPA's 
enforcement procedures. These amendments authorize the Department to 
investigate, process, and review complaints and violations of FERPA 
alleged to have been committed by educational agencies and 
institutions, as well as other recipients of Department funds under any 
program administered by the Secretary (e.g., State educational 
authorities, such as SEAs, and State postsecondary agencies, local 
educational authorities, nonprofit organizations, student loan guaranty 
agencies, and student loan lenders). Because these entities receive PII 
from education records, we believe that this change is justified in 
order to protect against improper redisclosure of PII from education 
records.
    In the case of an improper redisclosure of PII from education 
records by a non-profit organization, lender, servicer, or guaranty 
agency that is a recipient of Department funds under a program 
administered by the Secretary and that received PII from education 
records from an institution of higher education, the Department will 
enforce sanctions against the responsible party, whether that be the 
non-profit organization, lender, servicer, or guaranty agency. The 
Department, however, may also pursue enforcement measures against the 
institution of higher education, depending on the circumstances. In 
addition, we are not convinced that other confidentiality laws that 
apply to financial institutions provide the same protections as FERPA. 
Although the confidentiality laws cited by the commenters address 
privacy generally, they are not specifically designed to protect the 
confidentiality of student education records. Moreover, while the 
Secretary can take steps to enforce FERPA directly, we may need to rely 
on other Federal and State agencies to enforce these other 
confidentiality laws identified by the commenters.

[[Page 75632]]

    Changes: The Department has decided not to adopt the change 
proposed in Sec.  99.60(a)(2), which would have provided, solely for 
purposes of enforcement of FERPA under 34 CFR part 99, subpart E, all 
recipients of Department funds under a program administered by the 
Secretary as ``educational agencies and institutions.'' Rather, the 
Department has decided to amend Sec. Sec.  99.61 through 99.67 to 
clarify FPCO's enforcement responsibilities. Specifically, we revised 
these sections to clarify that FPCO may investigate, review, and 
process complaints filed against, or alleged violations of FERPA 
committed by, any recipient of Department funds under a program 
administered by the Secretary--not just educational agencies and 
institutions--and may hold any such recipient accountable for 
compliance with FERPA.
    Comment: One commenter asked that we clarify which enforcement 
tools legally available to the Secretary would be utilized in actions 
against State and local educational authorities and other recipients of 
Department funding under a program administered by the Secretary.
    Four commenters requested that the Department adopt more 
significant penalties, including incarceration and substantial fines, 
for FERPA violations caused by authorized representatives. Another 
commenter stated that the Department should sanction an entity that 
makes an unauthorized disclosure by requiring the entity to surrender 
all PII from education records already in its possession. Several 
commenters stated that other privacy statutes include significant 
sanctions and that FERPA requires a similar deterrent to prevent 
violations of student privacy.
    Discussion: In FERPA, Congress expressly directed the Secretary to 
``take appropriate actions'' to ``enforce'' FERPA and ``to deal with 
violations'' of its terms ``in accordance with [GEPA].'' 20 U.S.C. 
1232g(f).
    In GEPA, Congress provided the Secretary with the authority and 
discretion to take enforcement actions against any recipient of funds 
under any program administered by the Secretary for failures to comply 
substantially with any requirement of applicable law, including FERPA. 
20 U.S.C. 1234c(a). GEPA's enforcement methods expressly permit the 
Secretary to issue a complaint to compel compliance through a cease and 
desist order, to recover funds improperly spent, to withhold further 
payments, to enter into a compliance agreement, or to ``take any other 
action authorized by law,'' including suing for enforcement of FERPA's 
requirements. 20 U.S.C. 1234a, 1234c(a), 1234d; 1234e; 1234f; 34 CFR 
99.67(a); see also United States v. Miami Univ., 294 F.3d 797 (6th Cir. 
2002) (affirming the district court's decision that the United States 
may bring suit to enforce FERPA). Therefore, the Secretary will use one 
or a combination of these enforcement tools as is appropriate given the 
circumstances. Additionally, the Department has the authority to impose 
the five-year rule against any entity that FPCO determines has violated 
FERPA either through an improper redisclosure of PII from education 
records or through its failure to destroy PII from education records 
under the studies exception. (See discussion of five-year rule later in 
this preamble).
    With respect to the suggestion that we create additional penalties, 
the Department lacks the statutory authority to incarcerate violators, 
impose fines, or force a third party to surrender all PII from 
education records currently in its possession because the Department 
lacks the statutory authority to do so.
    Changes: None.
    Comment: One commenter requested that the Department clarify that 
``non-school entities'' are only required to comply with FERPA to the 
extent they have received FERPA-protected PII from education records 
from an educational agency or institution.
    Discussion: The Department would only take actions against ``non-
school entities'' that have not complied with FERPA requirements that 
relate to PII from education records they received under one of the 
exceptions to FERPA's general consent requirement. The Department has 
no authority under FERPA to take actions for other PII these entities 
may possess.
    Changes: None.
    Comment: A commenter suggested that other parties beyond those 
enumerated in the statute (i.e., eligible parents and students) should 
have standing to file complaints with FPCO. Further, this commenter 
suggested that the Department should increase the amount of time a 
complainant has to file a complaint with FPCO.
    Discussion: We decline to expand the entities eligible to file 
complaints with FPCO beyond parents and eligible students and decline 
to increase the amount of time a complainant has to file a complaint 
with FPCO beyond 180 days of the date of the alleged violation (or of 
the date that the complainant knew or reasonably should have known of 
the alleged violation). We did not propose these changes in the NPRM 
and therefore cannot make these changes in these final regulations 
without allowing an opportunity for further public comment and review. 
Still, it is important to note that FPCO can initiate an investigation 
on its own, without receiving a complaint, to address other violations.
    Changes: None.
    Comment: One commenter asked us to consider expanding the scope of 
our enforcement procedures to apply to tax exempt organizations under 
26 U.S.C. 501(c) that students do not attend and that are not the 
recipients of Department funds but that have PII from education 
records.
    Discussion: If a tax exempt organization under 26 U.S.C. 501(c) has 
PII from education records, but is not a recipient of funds under a 
program administered by the Secretary, then the Department would not 
have the authority under GEPA to take enforcement measures against such 
an organization. FPCO, however, may impose, under 20 U.S.C. 
1232g(b)(4)(B) and new Sec.  99.67(c), (d), and (e), the five-year rule 
against any entity that FPCO determines has violated FERPA either 
through an improper redisclosure of PII from education records received 
under any of the exceptions to the general consent rule or through the 
failure to destroy PII from education records under the studies 
exception. (See discussion of five-year rule later in this preamble.)
    For instance, if an LEA's authorized representative does not 
receive funding from the Department and violates FERPA due to poor data 
security practices, FPCO could apply the five-year rule by prohibiting 
the disclosing LEA from providing PII from education records to the 
authorized representative for at least five years. If the disclosing 
LEA refuses to comply and continues its relationship with the 
authorized representative, FPCO could, under GEPA, terminate funding to 
the LEA.
    Changes: None.
    Comment: One commenter asked that we clarify how the enforcement 
measures would apply if a contractor of an entity that received funding 
under a program administered by the Department violated FERPA's 
requirements. The commenter wanted to know, for example, what the 
liability of a school would be if its contractor violated FERPA.
    Discussion: Whether the Department would take enforcement action 
against a contractor that violates FERPA under a program administered 
by the Secretary, depends upon the exception to FERPA under which the 
contractor received the PII from education records, if the contractor 
was a recipient of Department funds, and the

[[Page 75633]]

circumstances of the violation. If the contractor was a recipient of 
Department funds and violated FERPA, the Department could take 
sanctions as permissible under GEPA. If the contractor was not a 
recipient of Department funds and improperly disclosed PII from 
education records received under any of the exceptions to the general 
consent rule or failed to destroy PII from education records in 
accordance with the requirements of the studies exception, the 
Department could implement the five-year rule. (See discussion of the 
five-year rule later in this preamble.)
    Likewise, the Department may also take enforcement action against 
the entity that disclosed PII from education records to the contractor. 
For example, if the contractor was acting as an authorized 
representative of a FERPA-permitted entity and violated FERPA, FPCO 
would investigate and review whether the disclosing entity met all of 
its obligations under FERPA, such as taking reasonable methods to 
ensure to the greatest extent practicable the FERPA compliance of the 
contractor. FPCO could take applicable GEPA enforcement actions against 
the disclosing entity, if it did not meet its responsibilities.
    If the contractor received PII from education records while acting 
as a school official under Sec.  99.31(a)(1)(i)(B), then the 
educational agency or institution would be liable for the contractor's 
FERPA violation and is subject to GEPA enforcement actions by the 
Department. In any of these instances, FPCO would initiate an 
investigation and seek voluntary compliance before imposing any 
sanctions.
    Changes: None.

Five-Year Rule (Sec.  99.67)

    Comments: Many commenters raised questions about the provision in 
FERPA that prohibits an educational agency or institution from 
disclosing PII from education records to a third party ``for a period 
of not less than five years'' if that third party improperly 
rediscloses PII from education records received under any of the 
exceptions to the general consent rule or fails to destroy PII from 
education records under the studies exception. 20 U.S.C. 
1232g(b)(4)(B).
    Multiple commenters appeared to believe that the Department was 
proposing the five-year rule for the first time in the NPRM and 
questioned whether the Department had the legal authority to implement 
such a rule. One commenter specifically opposed the rule on the grounds 
that it was inconsistent with the statute and that changes in the law 
should be made through a legislative amendment and not rulemaking.
    Discussion: To clarify, the Department did not propose the five-
year rule for the first time in the NPRM; rather, Congress amended 
FERPA in the Improving America's Schools Act of 1994, Sec.  249, Public 
Law 103-382, to provide that if a ``third party outside the educational 
agency or institution'' improperly rediscloses FERPA-protected data 
that it received under any of the exceptions to the general consent 
rule or fails to destroy information under the studies exception, then 
the educational agency or institution ``shall be prohibited from 
permitting access to information * * * to that third party for a period 
of not less than five years.'' 20 U.S.C. 1232g(b)(4)(B).
    The Department amended its regulations to implement this statutory 
change in 1996. 61 FR 59292 (November 21, 1996). The Department's 
current regulations in Sec.  99.31(a)(6)(iv) and Sec.  99.33(e), taken 
together, provide that if FPCO determines that a third party outside 
the educational agency or institution improperly rediscloses PII from 
education records in violation of Sec.  99.33 or fails to destroy PII 
from education records in violation of Sec.  99.31(a)(6)(ii)(B), then 
the educational agency or institution may not provide that third party 
access for a minimum period of five years.
    Still, based upon the confusion expressed by commenters regarding 
the five-year rule, we are changing the final regulations to 
consolidate all regulatory provisions relating to the five-year rule 
into one section of the regulations, Sec.  99.67. This is not a 
substantive change, but it is one intended to improve comprehension and 
promote ease of use because we believe it will be helpful for readers 
to see all of the regulatory language concerning the five-year rule in 
a single regulatory section.
    Changes: We are removing the existing two provisions in Sec.  
99.31(a)(6)(iv) and Sec.  99.33(e) regarding the five-year rule and 
consolidating all provisions relating to the five-year rule into Sec.  
99.67.
    In addition, we are changing the language that we proposed in Sec.  
99.35(d) that stated that in the event that FPCO finds an improper re-
disclosure of PII from education records, ``* * * the educational 
agency or institution from which the [PII] originated may not allow the 
authorized representative, or the State or local educational authority 
or the agency headed by an official listed in Sec.  99.31(a)(3), or 
both, access to [PII] from education records for at least five years.'' 
65 FR 19738 (April 8, 2011). Specifically, we are replacing 
``authorized representative, or the State or local educational 
authority or the agency headed by an official'' in proposed Sec.  
99.35(d) with ``the third party'' in the final regulation. Similarly, 
we are also consolidating the text of proposed Sec.  99.35(d) into 
Sec.  99.67, the enforcement section.
    Comment: Many commenters asked which entities were subject to the 
five-year rule. Some of these commenters expressed concern that the 
rule would be enforced against an entire educational agency or 
institution acting as a third party, such as a State university system, 
and asked whether the rule could be applied in a more limited manner 
against an individual researcher or department within the educational 
agency or institution, arguing, for example, that if an individual 
researcher is at fault, it would be excessive to prohibit an entire 
organization from receiving PII from education records for a period of 
not less than five years.
    At the same time, others were equally emphatic that the rule must 
apply to the entire educational agency or institution acting as a third 
party to have any enforcement effect or to deter potential violations. 
Consequently, many of these commenters asked how the Department would 
define an educational agency or institution acting as a third party.
    One commenter recommended that the five-year rule only be applied 
against an educational agency or institution acting as a third party 
that was expressly responsible for the unauthorized redisclosure of PII 
from education records. Another commenter wanted the Department to 
clarify whether FERPA-permitted entities could be subjected to the 
five-year rule due to an unauthorized redisclosure of PII from 
education records made by the FERPA-permitted entity's authorized 
representative.
    Discussion: The statute and current Sec. Sec.  99.31(a)(6)(iv) and 
99.33(e), taken together, are clear that any third party outside of the 
educational agency or institution that improperly rediscloses PII from 
education records received under any of the exceptions to the general 
consent rule or fails to destroy PII from education records as required 
under current Sec.  99.31(a)(6)(ii)(B) may be subjected to the five-
year rule. We understand a ``third party'' to refer broadly to any 
entity outside of the educational agency or institution from which the 
PII from education records was originally disclosed and may include an 
authorized representative. In other words, authorized representatives

[[Page 75634]]

make up a subset of the larger set of third parties outside the 
educational agency or institution from which the PII from education 
records was originally disclosed. Any individual or entity to which PII 
from education records is disclosed without consent by an educational 
agency or institution under Sec.  99.31(a), except for disclosures 
under Sec.  99.31(a)(1) to school officials because they are within the 
educational institution or agency, is a third party.
    The NPRM proposed adding a third regulatory provision to Sec.  
99.35 in order to implement the five-year rule more specifically in the 
context of an improper redisclosure of PII from education records by 
FERPA-permitted entities or by their authorized representatives (which 
are third parties). As explained in the NPRM, the Department sought to 
clarify that FPCO could impose the five-year rule against FERPA-
permitted entities, their authorized representatives, or both. Under 
the final regulations, the provisions of the five-year rule apply to 
all improper redisclosures by third parties outside of the educational 
agency or institution from which PII from education records was 
originally disclosed. These third parties include FERPA-permitted 
entities or their authorized representatives, whether they obtained PII 
from education records under the studies exception, the audit or 
evaluation exception, or any other exception to the requirement of 
consent in Sec.  99.31(a) (other than Sec.  99.31(a)(1), which applies 
to disclosures to school officials who are within the educational 
institution or agency).
    The five-year rule also applies to all third parties that fail to 
destroy PII from education records in violation of the studies 
exception in Sec.  99.31(a)(6). By contrast, the statute does not 
specifically authorize the Department to apply the rule against a third 
party for failure to destroy PII from education records under the audit 
or evaluation exception or for other inappropriate activities that 
affect privacy beyond the improper redisclosure and the failure to 
destroy PII from education records in violation of the studies 
exception in Sec.  99.31(a)(6), as discussed earlier. However, FERPA-
permitted entities are free to include sanctions for other 
inappropriate activities that affect privacy as part of their written 
agreements with third parties and authorized representatives.
    Changes: None.
    Comment: Many commenters requested clarification regarding how the 
five-year rule would be implemented and specifically requested a 
detailed explanation regarding who could enforce the rule, how the rule 
would be applied, and whether those sanctioned would have a right to 
appeal. Several commenters asked how much discretion educational 
agencies and institutions would have to either bar third parties or 
authorized representatives under the five-year rule or to modify the 
length of the debarment depending upon the circumstances.
    Several commenters asked how much discretion the Department would 
have when applying the five-year rule. Some expressed concern that the 
Department would apply the five-year rule automatically after a single 
unauthorized redisclosure of PII from education records by a third 
party. One commenter expressed concern that the Department would apply 
the rule like a ``zero tolerance'' policy.
    Concerned about the severity of the five-year rule, many commenters 
requested an opportunity to come into compliance with approved best 
practices and methods for data protection as an alternative to an 
immediate application of the five-year rule. One commenter suggested 
remediation as an alternative to the five-year rule to help a third 
party with the process of voluntary compliance.
    Another commenter asked the Department to amend the regulations to 
apply the five-year rule only when there are repeated, unauthorized 
redisclosures of PII from education records or when the parties 
responsible for the unauthorized disclosure are grossly negligent. Some 
of these commenters suggested that we take into account the level or 
magnitude of the improper redisclosure. One commenter suggested that 
the regulations should be modified to recognize that in today's 
technological environment, it is not feasible to require absolute 
compliance.
    Finally, a few commenters asked whether debarment under the five-
year rule ``follows'' an individual who has been debarred from one 
employer to the individual's next employer. These commenters also asked 
whether debarment attaches to a third party even if the individual who 
is found to be responsible for an improper redisclosure of PII from 
education records leaves the employment of that third party.
    Discussion: Some commenters appeared to have misunderstood the NPRM 
as proposing that an individual school or LEA would have the authority 
to impose the five-year rule against a third party, such as an SEA or a 
Federal agency headed by an official listed in Sec.  99.31(a)(3), in 
the event of an improper redisclosure by that third party. This is 
incorrect--only FPCO has the authority to impose the five-year rule 
against third parties that FPCO determines have violated either the 
redisclosure provisions of Sec.  99.33 or the destruction requirements 
of Sec.  99.31(a)(6)(iii)(B). In other words, only FPCO has the 
authority to implement the five-year rule to prohibit an educational 
agency or institution from providing a third party with access to 
FERPA-protected data.
    When making such a determination, FPCO, consistent with its 
longstanding practice, will investigate allegations of third parties 
improperly redisclosing PII from education records under Sec.  99.33 or 
failing to destroy data under Sec.  99.31(a)(6)(iii)(B). If FPCO were 
to find a FERPA violation, then it would first attempt to bring the 
offending third party into voluntary compliance. As suggested by one 
commenter, FPCO may use remediation as a tool to bring the third party 
into voluntary compliance. For instance, if FPCO were to investigate 
and determine that a third party had failed to timely destroy data, 
FPCO could work with the third party conducting the study to implement 
an appropriate destruction policy. If FPCO were unable to bring the 
offending third party into voluntary compliance, then FPCO would have 
the discretion to prohibit the educational agency or institution from 
allowing that third party access to PII from education records for a 
period of at least five years. In deciding whether to exercise this 
discretion and which third parties should be banned, FPCO will consider 
the nature of the violation and the attendant circumstances. One factor 
FPCO will consider is whether the third party has repeatedly 
redisclosed PII from education records improperly, which will make it 
more likely that the FPCO will apply the five-year rule. The Department 
believes that outlining this detailed process here provides adequate 
clarification of FPCO's enforcement procedures.
    Moreover, as discussed in more detail earlier in this preamble, 
FPCO is not limited to the five-year rule in the enforcement actions it 
may take; it also has the discretion to consider whether it would be 
more appropriate to apply GEPA enforcement mechanisms against those 
third parties receiving Department funds. Accordingly, the five-year 
rule is not a ``zero tolerance'' policy, as suggested by one commenter, 
and FPCO would not apply the rule without considering the facts of each 
particular situation, as some commenters feared.
    As for whether a third party would be able to appeal a decision 
made by FPCO to prohibit an educational agency or institution from 
disclosing PII from

[[Page 75635]]

education records to that third party, no such appeal right exists. 
Under current Sec.  99.60(b)(1), only FPCO has the authority to 
``[i]nvestigate, process, and review complaints and violations under 
the Act * * *.'' FPCO also retains complete authority to enforce the 
five-year rule, and its decisions are final. However, FPCO's 
investigative process would provide ample opportunity for the party 
being investigated to have FPCO consider all relevant facts and 
circumstances before making a decision.
    Importantly, the fact that FPCO must find a violation before the 
five-year rule may be enforced does not relieve educational agencies 
and institutions or FERPA-permitted entities of their responsibility to 
protect PII from education records. As discussed earlier, we encourage 
FERPA-permitted entities that are redisclosing PII from education 
records to third parties to include sanctions in their written 
agreements with their third parties and authorized representatives, and 
to enforce those sanctions. FERPA-permitted entities, and their 
authorized representatives, may agree to any sanctions permissible 
under applicable law. For instance, written agreements could call for 
monetary penalties, data bans of varying length, or any of the range of 
civil penalties that the disclosing entity believes is appropriate. The 
Department encourages the use of these agreed-upon sanctions to ensure 
control and proper use of PII from education records.
    Finally, depending upon the specific facts of the situation, 
debarment may ``follow'' an individual who has been sanctioned under 
the five-year rule from one employer to another. Further, debarment 
would likely not remain attached to a third party if it is determined 
that only the debarred individual was responsible for the improper 
redisclosure of PII from education records, the debarred individual 
leaves the third party's employment, and the improper redisclosure was 
not caused by a policy of the third party. It is important to note, 
however, that such determinations are highly fact specific and the 
Department will review each situation case by case.
    Changes: We are amending Sec. Sec.  99.61, 99.62, 99.64, 99.65, 
99.66 and 99.67 of the FERPA regulations. These changes provide more 
detailed procedures governing the investigation, processing, and review 
of complaints and violations against third parties outside of an 
educational agency or institution for failing to destroy PII from 
education records in violation of Sec.  99.31(a)(6)(iii)(B) or for 
improperly redisclosing PII from education records in violation of 
Sec.  99.33.
    Comment: Several commenters provided general support for the five-
year rule as a means to enforce FERPA. One commenter stated that five 
years is an appropriate time period for such a violation, and another 
stated that substantial consequences are a must and that debarment 
would be an appropriate remedy for FERPA violations.
    Other commenters found this sanction insufficient to adequately 
protect privacy and called for more extensive and harsher penalties. 
One commenter requested that other penalties be developed out of a 
concern that the five-year rule would not be used frequently enough to 
deter egregious and flagrant violations of FERPA. Several commenters 
requested that the Department apply the rule more broadly. For example, 
one commenter stated that the Department should sanction other 
inappropriate activities that affect privacy besides improper 
redisclosures, including, but not limited to, ``using records for an 
improper purpose; examining individual records without justification * 
* * and not allowing access to or correction of records when 
appropriate.''
    Still others expressed concern that the Department would apply the 
five-year rule too broadly. One commenter suggested limiting the scope 
of the prohibition to PII from education records used for the purposes 
of conducting studies and not necessarily for other purposes related to 
the provision of products, services, and other functions.
    Discussion: The Department lacks the legal authority to expand the 
enforcement mechanisms available under FERPA beyond those discussed in 
this preamble and therefore declines to include harsher penalties such 
as those requested by a number of commenters. For the same reason, we 
cannot expand the list of ``inappropriate activities'' that may be 
sanctioned under the five-year rule beyond improper redisclosures under 
Sec.  99.33 and the failure to destroy PII in violation of Sec.  
99.31(a)(6)(iii)(B). The five-year rule is clear that it only applies 
to improper redisclosures of PII received under any of the exceptions 
to the general consent rule and the failure to destroy PII from 
education records under the studies exception.
    The Department also declines to limit the scope of the prohibition 
to the purpose of conducting studies and not necessarily for other 
purposes related to the provision of products, services, and other 
functions. Section (b)(4)(B) of FERPA (20 U.S.C. 1232g(b)(4)(B)) 
provides that the five-year rule applies to any improper redisclosure 
made by any third party and not just to an improper redisclosure made 
by a third party conducting research under the studies exception. Thus, 
the final regulations include a third regulatory provision, reflected 
in Sec.  99.67(d), that describes the five-year rule as it applies 
specifically in the context of the audit or evaluation exception. 
Section 99.67 states that in the context of the audit or evaluation 
exception, where the FERPA-permitted entities and any of their 
authorized representatives are third parties, the five-year rule could 
be applied against the FERPA-permitted entities, an authorized 
representative thereof, or both.
    Changes: None.
    Comment: Another commenter requested that the regulations be 
changed to prohibit the offending third party from requesting PII from 
education records from the disclosing educational agency or institution 
in the future rather than placing the burden on the educational agency 
or institution to deny access.
    Discussion: The Department cannot prohibit a third party who has 
violated FERPA from requesting PII from education records from an 
educational agency or institution. The five-year rule clearly states 
that it is the duty of the educational agency or institution that 
originally disclosed the PII from education records to the third party 
to prevent further disclosure to the same third party. Still, the five-
year rule does not prohibit all educational agencies and institutions 
from disclosing PII from education records to the offending third 
party; as made clear by the statute, the prohibition only applies to 
the educational agency or institution that originally disclosed PII 
from education records to that third party.
    Changes: None.
    Comments: Some expressed concern that under the five-year rule, 
educational agencies and institutions, such as LEAs, would be 
prohibited from disclosing PII from education records to third parties, 
such as SEAs, if these third parties improperly redisclosed FERPA-
protected data that they received from the educational agency or 
institution. The commenters expressed concern that Federal and State 
education laws require LEAs to share data with SEAs in order to qualify 
for Federal and State education funds.
    Another commenter expressed a similar concern that an institution 
of higher education might be prohibited from offering Federal financial 
aid to its students if the Department itself were responsible for the 
improper redisclosure. In the commenter's example, the institution of 
higher education would be unable to make data

[[Page 75636]]

disclosures needed to process Federal and State loans, if the five-year 
rule were applied to the Department.
    Discussion: The Department would interpret the five-year rule 
consistently with other Federal laws to the greatest extent possible in 
order to avoid a conflict between Federal laws. If imposition of the 
five-year rule would prevent an LEA from complying with other legal 
requirements, FPCO may sanction the offending SEA using an enforcement 
mechanism that is available to the Department under GEPA, such as 
issuing a cease and desist order, thereby allowing the LEA to meet its 
other legal obligations.
    Similarly, in response to those commenters who expressed a concern 
that subjecting the Department to the five-year rule would prevent 
institutions of higher education from providing student information to 
the Department's Federal Student Aid (FSA) office, the Department will 
administer FERPA in a reasonable manner and read it consistently with 
Federal laws governing student financial aid. Like any other third 
party outside of an educational agency or institution, FSA, or any 
other office in the Department that receives PII from education 
records, must also comply with FERPA; if FPCO found that FSA, or any 
other third party, violated the redisclosure provisions in FERPA, FPCO 
would then work with that third party to obtain voluntary compliance 
with FERPA, potentially eliminating the need to impose the five-year 
ban.
    Changes: None.
    Comment: One commenter expressed concern about existing contracts 
and written agreements being violated because of an application of the 
five-year rule regarding a separate and unrelated improper redisclosure 
of PII from education records by an authorized representative.
    Discussion: The Department disagrees that application of the five-
year rule will automatically result in a debarred third party from 
complying with its obligations under other pre-existing contracts or 
written agreements. If FPCO were to find that application of the rule 
was warranted, the regulations would prohibit only the original, 
disclosing educational agency or institution from providing PII from 
education records to the third party. Furthermore, this prohibition 
would only occur if the third party refused to work with FPCO to 
voluntarily comply with FERPA.
    Changes: None.
    Comment: Two commenters noted what they perceived to be a conflict 
between the language used in the statute (and the preamble of the NPRM) 
regarding the five-year rule and the language in current regulations. 
Although the statute states that the original, disclosing educational 
agency or institution ``shall be prohibited'' from permitting an 
offending third party to access PII from education records for at least 
five years, the regulations state that the disclosing educational 
agency or institution ``may not'' allow the third party access to PII 
from education records. One commenter preferred to use the terms ``may 
not'' instead of ``shall be prohibited'' because ``may not'' suggested 
greater flexibility in how the five-year rule would be applied.
    Discussion: We disagree that a conflict exists between the language 
contained in the statute and current regulations regarding the five-
year rule. Specifically, we consider the terms used in the regulations 
(``may not'' allow access) to have the same meaning as the language 
used in the statute (``shall be prohibited'' from permitting access).
    Changes: None.

Executive Order 12866 and 13563

Regulatory Impact Analysis

    Under Executive Order 12866, the Secretary must determine whether 
the regulatory action is ``significant'' and therefore subject to the 
requirements of the Executive Order and subject to review by OMB. 
Section 3(f) of Executive Order 12866 defines a ``significant 
regulatory action'' as an action likely to result in regulations that 
may (1) have an annual effect on the economy of $100 million or more, 
or adversely affect a sector of the economy, productivity, competition, 
jobs, the environment, public health or safety, or State, local or 
tribal governments or communities in a material way (also referred to 
as ``economically significant'' regulations); (2) create serious 
inconsistency or otherwise interfere with an action taken or planned by 
another agency; (3) materially alter the budgetary impacts of 
entitlement grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; or (4) raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive order.
    Pursuant to the terms of the Executive Order, we have determined 
this regulatory action is significant and subject to OMB review under 
section 3(f)(4) of Executive Order 12866. Notwithstanding this 
determination, we have assessed the potential costs and benefits--both 
quantitative and qualitative--of this regulatory action. The Department 
believes that the benefits justify the costs.
    The Department has also reviewed these regulations pursuant to 
Executive Order 13563, published on January 21, 2011 (76 FR 3821). 
Executive Order 13563 is supplemental to and explicitly reaffirms the 
principles, structures, and definitions governing regulatory review 
established in Executive Order 12866. To the extent permitted by law, 
agencies are required by Executive Order 13563 to: (1) Propose or adopt 
regulations only upon a reasoned determination that their benefits 
justify their costs (recognizing that some benefits and costs are 
difficult to quantify); (2) tailor their regulations to impose the 
least burden on society, consistent with obtaining regulatory 
objectives, taking into account, among other things, and to the extent 
practicable, the costs of cumulative regulations; (3) select, in 
choosing among alternative regulatory approaches, those approaches that 
maximize net benefits (including potential economic, environmental, 
public health and safety, and other advantages; distributive impacts; 
and equity); (4) specify, to the extent feasible, performance 
objectives, rather than specifying the behavior or manner of compliance 
that regulated entities must adopt; and (5) identify and assess 
available alternatives to direct regulation, including providing 
economic incentives to encourage the desired behavior, such as user 
fees or marketable permits, or providing information upon which choices 
can be made by the public.
    We emphasize as well that Executive Order 13563 requires agencies 
``to use the best available techniques to quantify anticipated present 
and future benefits and costs as accurately as possible.'' In its 
February 2, 2011, memorandum (M-11-10) on Executive Order 13563, 
improving regulation and regulatory review, the Office of Information 
and Regulatory Affairs in OMB has emphasized that such techniques may 
include ``identifying changing future compliance costs that might 
result from technological innovation or anticipated behavioral 
changes.''
    We are issuing these regulations only upon a reasoned determination 
that their benefits justify their costs, and we selected, in choosing 
among alternative regulatory approaches, those approaches that maximize 
net benefits. Based on the following analysis, the Department believes 
that these final regulations are consistent with the principles in 
Executive Order 13563.
    We also have determined that this regulatory action would not 
unduly interfere with State, local, and tribal governments in the 
exercise of their governmental functions.

[[Page 75637]]

Potential Costs and Benefits

    Following is an analysis of the costs and benefits of the changes 
reflected in these final FERPA regulations. These changes facilitate 
the disclosure, without written consent, of PII from education records 
for the purposes of auditing or evaluating Federal- or State-supported 
education programs and enforcing or ensuring compliance with Federal 
legal requirements related to these programs. In conducting this 
analysis, the Department examined the extent to which the changes add 
to or reduce the costs of educational agencies, other agencies, and 
institutions in complying with the FERPA regulations prior to these 
changes, and the extent to which the changes are likely to provide 
educational benefit. Allowing data-sharing across agencies, because it 
increases the number of individuals who have access to PII from 
education records, may increase the risk of unauthorized disclosure of 
PII from education records. However, we do not believe that the staff 
in the additional agencies who will have access to PII from education 
records are any more likely to violate FERPA than existing users, and 
the strengthened accountability and enforcement mechanisms reflected in 
these regulations will help to ensure better compliance overall. While 
there will be administrative costs associated with implementing data-
sharing protocols that ensure that PII from education records is 
disclosed in accordance with the limitations in FERPA, we believe that 
the relatively minimal administrative costs of establishing these 
protocols will be off-set by potential analytic benefits. Based on this 
analysis, the Secretary has concluded that the amendments reflected in 
these final regulations will result in savings to entities and have the 
potential to benefit the Nation by improving capacity to conduct 
analyses that will provide information needed to improve education.

Authorized Representative

    These regulations amend Sec.  99.3 by adding a definition of the 
term ``authorized representative;'' an authorized representative is any 
individual or entity designated by a State or local educational 
authority or a Federal agency headed by the Secretary, the Comptroller 
General, or the Attorney General to carry out audits, evaluations, or 
enforcement or compliance activities relating to education programs. 
FERPA permits educational authorities to provide to authorized 
representatives PII from education records for the purposes of 
conducting audits, evaluations, or enforcement and compliance 
activities relating to Federal- and State-supported education programs. 
However, in the past, we had not defined the term ``authorized 
representative'' in our regulations. The Department's position had been 
that educational authorities may only disclose education records to 
entities over which they have direct control, such as an employee or a 
contractor. Therefore, under the Department's interpretation of its 
regulations, SEAs were not able to disclose PII from education records 
to many State agencies, even for the purpose of evaluating education 
programs under the purview of the SEAs. For example, an SEA or LEA 
could not disclose PII from education records to a State employment 
agency for the purpose of obtaining data on post-school outcomes such 
as employment for its former students. Thus, if an SEA or LEA wanted to 
match education records with State employment records for purposes of 
evaluating its secondary education programs, it would have to import 
the entire workforce database and do the match itself (or contract with 
a third party to do the same analysis). Similarly, if a State workforce 
agency wanted to use PII from education records maintained by the SEA 
in its SLDS, in combination with data it had on employment outcomes, to 
evaluate secondary vocational education programs, it would not be able 
to obtain PII from the education records in the SEA's SLDS to conduct 
the analyses. It would have to provide the workforce data to the SEA so 
that the SEA could conduct the analyses or to a third party (e.g., an 
entity under the direct control of the SEA) to construct the needed 
longitudinal administrative data systems. While feasible, these 
strategies force agencies to outsource their analyses to other agencies 
or entities, adding administrative cost, burden, and complexity. 
Moreover, preventing agencies from using PII from education records 
directly for conducting their own analytical work increases the 
likelihood that the work will not meet their expectations or get done 
at all. Finally, the previous interpretation of the current regulations 
exposed greater amounts of PII from education records to risk of 
disclosure as a result of greater quantities of PII from education 
records moving across organizations (e.g., the entire workforce 
database) than would be the case with a more targeted data request 
(e.g., disclosure of PII from education records for graduates from a 
given year who appear in the workforce database). These final 
regulations allow FERPA-permitted entities to disclose PII from 
education records without consent to authorized representatives, which 
may include other State agencies, or to house data in a common State 
data system, such as a data warehouse administered by a central State 
authority for the purposes of conducting audits or evaluations of 
Federal- or State-supported education programs, or for enforcement of 
and ensuring compliance with Federal legal requirements relating to 
Federal- and State-supported education programs (consistent with FERPA 
and other Federal and State confidentiality and privacy provisions).
    The Department also amends Sec.  99.35 to require that FERPA-
permitted entities use written agreements with an authorized 
representative (other than employees) when they agree to disclose PII 
from education records without consent to the authorized representative 
under the audit or evaluation exception. The cost of entering into such 
agreements should be minimal in relation to the benefits of being able 
to disclose this information. Section Sec.  99.35(a)(3) requires that 
the written agreement specify that the information is being disclosed 
for the purpose of carrying out an allowable audit, evaluation, or 
enforcement or compliance activity, as well as a description of the 
activity and how the disclosed information is to be used.

Education Program

    The final regulations amend Sec.  99.3 by adding a definition for 
the term ``education program.'' This definition clarifies that an 
education program can include a program administered by a non-
educational agency (e.g., an early childhood program administered by a 
human services agency or a career and technical education program 
administered by a workforce or labor agency) and any program 
administered by an educational agency or institution. These final 
regulations also define the term ``early childhood education program,'' 
because that term is used in the definition of ``education program.'' 
For the definition of the ``early education program,'' we use the 
definition of that term from HEA.
    These definitions, in combination with the addition of the 
definition of the term ``authorized representative,'' results in a 
regulatory framework for FERPA that allows non-educational agencies to 
have easier access to PII in student education records that they can 
use to evaluate the education programs they administer. For example, 
these changes permit disclosures of PII in

[[Page 75638]]

elementary and secondary school education records without consent to a 
non-educational agency that is administering an early childhood 
education program in order to evaluate the impact of its early 
childhood education program on its students' long-term educational 
outcomes. The potential benefits of these regulatory changes are 
substantial, including the benefits of non-educational agencies that 
are administering education programs, as that term is defined in these 
regulations, being able to conduct their own analyses without incurring 
the prohibitive costs of obtaining consent for access to individual 
students' PII from education records.

Research Studies

    Section (b)(1)(F) of FERPA permits educational agencies and 
institutions to disclose PII from education records without consent to 
organizations conducting research studies for, or on behalf of, 
educational agencies or institutions from which the PII from education 
records originated, for statutorily-specified purposes. The amendment 
to Sec.  99.31(a)(6) permits any of the authorities listed in Sec.  
99.31(a)(3), including SEAs, to enter into written agreements that 
provide for the disclosure of PII from education records to research 
organizations for studies that would benefit the educational agencies 
or institutions that disclosed the PII to the SEA or other educational 
authorities. The preamble to the final FERPA regulations published in 
the Federal Register on December 9, 2008 (73 FR 74806, 74826) took the 
position that an SEA, for example, could not redisclose PII from 
education records that it obtained from an LEA to a research 
organization unless the SEA had separate legal authority to act for, or 
on behalf of, the LEA (or other educational institution. Because, in 
practice, this authority may not be explicit in all States, we are 
amending Sec.  99.31 to specifically allow State educational 
authorities, which include SEAs, to enter into agreements with research 
organizations for studies that are for one or more of the enumerated 
purposes under FERPA, such as studies to improve instruction (see Sec.  
99.31(a)(6)(ii)). The Department believes that this regulatory change 
will be beneficial because it will reduce the administrative costs of, 
and reduce the barriers to, using PII from education records, including 
PII from education records in SLDS, in order to conduct studies to 
improve instruction in education programs.

Authority To Evaluate

    Current Sec.  99.35(a)(2) provides that the authority for a FERPA-
permitted entity to conduct an audit, evaluation, or enforcement or 
compliance activity must be established under a Federal, State, or 
local authority other than FERPA. Lack of such explicit State or local 
authority has hindered the use of PII from education records in some 
States. These final regulations remove this language about legal 
authority because we believe that the language unnecessarily caused 
confusion in the field. This is because FERPA does not require that a 
State or local educational authority have express legal authority to 
conduct audits, evaluations, or compliance or enforcement activities. 
Rather, we believe FERPA permits disclosure of PII from education 
records to a State or local educational authority if that entity also 
has implied authority to conduct audit, evaluation, or enforcement or 
compliance activities with respect to its own programs.
    This regulatory change also allows an SEA to receive PII from 
education records originating at postsecondary institutions as needed 
to evaluate its own programs and determine whether its schools are 
adequately preparing students for higher education. The preamble to the 
final FERPA regulations published in the Federal Register on December 
9, 2008 (73 FR 74806, 74822) suggested that PII in education records 
maintained by postsecondary institutions could only be disclosed to an 
SEA if the SEA had legal authority to evaluate postsecondary 
institutions. This interpretation restricted SEAs from conducting 
analyses to determine how effectively their own programs are preparing 
students for higher education and from identifying effective programs. 
As a result, this interpretation resulted in a regulatory framework for 
FERPA that has hindered efforts to improve education. The primary 
benefit of this change is that it will allow SEAs to conduct analyses 
of data that includes PII from education records for the purpose of 
program evaluations (consistent with FERPA and other Federal and State 
confidentiality and privacy provisions) without incurring the 
prohibitive costs of obtaining prior written consent from eligible 
students or parents.

Educational Agency or Institution

    Sections (f) and (g) of FERPA authorize the Secretary to take 
appropriate actions to enforce the law and address FERPA violations, 
but subpart E of the current FERPA regulations only addressed alleged 
violations of FERPA by an ``educational agency or institution.'' 
Because the Department had not interpreted the term ``educational 
agency or institution'' to include agencies or institutions that 
students do not attend (such as an SEA), the current FERPA regulations 
do not specifically permit the Secretary to bring an enforcement action 
against an SEA or other State or local educational authority or any 
other recipient of Department funds under a program administered by the 
Secretary that did not meet the definition of an ``educational agency 
or institution'' under FERPA. Thus, for example, if an SEA improperly 
redisclosed PII from education records obtained from its LEAs, the 
Department could pursue enforcement actions against each of the LEAs 
(because the Department views an LEA as an educational agency attended 
by students), but not the SEA. These final regulations amend the 
regulatory provisions in subpart E to clarify that the Secretary may 
investigate, process, review, and enforce complaints and violations of 
FERPA against an educational agency or institution, any other recipient 
of Department funds under a program administered by the Secretary, or 
other third parties.
    This change will result in some administrative savings and improve 
the efficiency of the enforcement process. Under the current 
regulations, if, for example, an SEA with 500 LEAs improperly 
redisclosed PII from its SLDS to an unauthorized party, the Department 
would have had to investigate each of the 500 LEAs, which are unlikely 
to have had knowledge relating to the disclosure. Under the final 
regulations, the LEAs will be relieved of any administrative costs 
associated with responding to the Department's request for information 
about the disclosure and the Department will immediately direct the 
focus of its investigation on the SEA, the agency most likely to have 
information on and bear responsibility for the disclosure of PII, 
without having to spend time and resources contacting the LEAs.

Regulatory Flexibility Act Certification

    The Secretary certifies that this regulatory action will not have a 
significant economic impact on a substantial number of small entities.
    The small entities that this final regulatory action will affect 
are small LEAs. The Secretary believes that the costs imposed by these 
regulations will be limited to paperwork burden related to requirements 
concerning data-sharing agreements and that the benefits from ensuring 
that PII from education records are collected, stored, and shared

[[Page 75639]]

appropriately outweigh any costs incurred by these small LEAs. In 
addition, it is possible that State and local educational authorities 
may enter into agreements with small institutions of higher education 
or other small entities that will serve as their authorized 
representatives to conduct evaluations or other authorized activities. 
Entering into such agreements would be entirely voluntary on the part 
of the institutions of higher education or other entities, would be of 
minimal cost, and presumably would be for the benefit of the 
institution of higher education or other entity.
    The U.S. Small Business Administration Size Standards define as 
``small entities'' for-profit or nonprofit institutions with total 
annual revenue below $7,000,000 or, if they are institutions controlled 
by small governmental jurisdictions (that are comprised of cities, 
counties, towns, townships, villages, school districts, or special 
districts), with a population of less than 50,000.
    According to estimates from the U.S. Census Bureau's Small Area 
Income and Poverty Estimates programs that were based on school 
district boundaries for the 2007-2008 school year, there are 12,484 
LEAs in the country that include fewer than 50,000 individuals within 
their boundaries and for which there is estimated to be at least one 
school-age child. In its 1997 publication, Characteristics of Small and 
Rural School Districts, the NCES defined a small school district as 
``one having fewer students in membership than the sum of (a) 25 
students per grade in the elementary grades it offers (usually K-8) and 
(b) 100 students per grade in the secondary grades it offers (usually 
9-12).'' Using this definition, a district would be considered small if 
it had fewer than 625 students in membership. The Secretary believes 
that the 4,800 very small LEAs that meet this second definition are 
highly unlikely to enter into data-sharing agreements directly with 
outside entities.
    In the NPRM, the Department solicited comments from entities 
familiar with data sharing in small districts on the number of entities 
likely to enter into agreements each year, the number of such 
agreements, and the number of hours required to execute each agreement, 
but we received no comments and do not have reliable data with which to 
estimate how many of the remaining 7,684 small LEAs will enter into 
data-sharing agreements. For small LEAs that enter into data-sharing 
agreements, we estimate that they will spend approximately 4 hours 
executing each agreement, using a standard data-sharing protocol. Thus, 
we assume the impact on the entities will be minimal.

Federalism

    Executive Order 13132 requires us to ensure meaningful and timely 
input by State and local elected officials in the development of 
regulatory policies that have federalism implications. ``Federalism 
implications'' means substantial direct effects on the States, on the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government. Among other requirements, the Executive order requires us 
to consult with State and local elected officials respecting any 
regulations that have federalism implications and either preempt State 
law or impose substantial direct compliance costs on State and local 
governments, and are not required by statute, unless the Federal 
government provides the funds for those costs.
    The Department has reviewed these final regulations in accordance 
with Executive Order 13132. We have concluded that these final 
regulations do not have federalism implications, as defined in the 
Executive order. The regulations do not have substantial direct effects 
on the States, on the relationship between the national government and 
the States, or on the distribution of power and responsibilities among 
the various levels of government.
    In the NPRM we explained that the proposed regulations in 
Sec. Sec.  99.3, 99.31(a)(6), and 99.35 may have federalism 
implications, as defined in Executive Order 13132, and we asked that 
State and local elected officials make comments in this regard. One 
commenter stated that it believed that some of the proposed changes 
would increase burdens on SEAs, especially with respect to enforcing 
the destruction of PII from education records once a study or an audit 
or evaluation has ended.
    The FERPA requirements that PII from education records be destroyed 
when no longer needed for both the studies exception and the audit or 
evaluation exception are statutory (20 U.S.C. 1232g(b)(1)(F) and 
1232g(b)(3)). Further, the regulatory provisions concerning destruction 
for these two exceptions (Sec. Sec.  99.31(a)(6) and 99.35) are not 
new. Therefore, these final regulations do not include additional 
burden.
    After giving careful consideration to the comment, we conclude that 
these final regulations do not have federalism implications as defined 
in Executive Order 13132.

Paperwork Reduction Act of 1995

    As part of its continuing effort to reduce paperwork and respondent 
burden, the Department conducts a preclearance consultation program to 
provide the general public and Federal agencies with an opportunity to 
comment on proposed and continuing collections of information in 
accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 
3506(c)(2)(A)). This helps ensure that: the public understands the 
Department's collection instructions; respondents can provide the 
requested data in the desired format; reporting burden (time and 
financial resources) is minimized; collection instruments are clearly 
understood; and the Department can properly assess the impact of 
collection requirements on respondents. The term ``collections of 
information'' under the PRA includes regulatory requirements that 
parties must follow concerning paperwork, e.g., the requirement that 
educational agencies and institutions annually notify parents and 
eligible students of their rights under FERPA. It does not necessarily 
mean that information is being collected by a government entity.
    Sections 99.7, 99.31(a)(6)(ii), 99.35(a)(3), and 99.37(d) contain 
information collection requirements. In the NPRM published on April 8, 
2011, we requested public comments on the information collection 
requirements in proposed Sec. Sec.  99.31(a)(6)(ii) and 99.35(a)(3). 
Since publication of the NPRM, we have determined that Sec.  99.37(d) 
also has an information collection associated with it. In addition, 
since publication of the NPRM, we decided to make changes to the model 
notification, which we provide to assist entities to comply with the 
annual notification of rights requirement in Sec.  99.7. Therefore, 
this section discusses the information collections associated with 
these four regulatory provisions. These information collections will be 
submitted to OMB for review and approval. A valid OMB control number 
will be assigned to the information collection requirements at the end 
of the affected sections of the regulations.

Section 99.7--Annual Notification of Rights Requirement (OMB Control 
Number 1875-0246)

    Although we did not propose any changes to Sec.  99.7, which 
requires that educational agencies and institutions annually notify 
parents and eligible students of their rights under FERPA, we did make 
some modifications to our

[[Page 75640]]

model notification associated with this requirement. Specifically, to 
allow parents and eligible students to more fully understand the 
circumstances under which disclosures may occur without their consent, 
we have amended the model annual notifications to include a listing of 
the various exceptions to the general consent rule in the regulations. 
The model notices (one for elementary and secondary schools and another 
one for postsecondary institutions) are included as Appendix B and 
Appendix C to this notice. We also post the model notifications on our 
Web site and have indicated the site address in the preamble. We do not 
believe that this addition to the model notification increases the 
currently approved burden of .25 hours (15 minutes) we previously 
estimated for the annual notification of rights requirement.

Section 99.31(a)(6)(ii)--Written Agreements for Studies (OMB Control 
Number 1875-0246)

    The final regulations modify the information collection 
requirements in Sec.  99.31(a)(6)(ii); however, the Department does not 
believe these regulatory changes result in any new burden to State or 
local educational authorities. As amended, Sec.  99.31(a)(6)(ii) 
clarifies that FERPA-permitted entities may enter into written 
agreements with organizations conducting studies for, or on behalf of, 
educational agencies and institutions. We do not believe this will 
result in a change or an increase in burden because the provision would 
permit an organization conducting a study to enter into one written 
agreement with a FERPA-permitted entity, rather than making the 
organization enter into multiple written agreements with a variety of 
schools and school districts.

Section 99.35(a)(3)--Written Agreements for Audits, Evaluations, 
Compliance or Enforcement Activities (OMB Control Number 1875-0246)

    Section 99.35(a)(3) requires FERPA-permitted entities to use a 
written agreement to designate authorized representatives other than 
agency employees. Under the final regulations, the agreement must: (1) 
Designate the individual or entity as an authorized representative; (2) 
specify the PII from education records to be disclosed; (3) specify 
that the purpose for which the PII from education records is disclosed 
to the authorized representative is to carry out an audit or evaluation 
of Federal- or State-supported education programs, or to enforce or to 
comply with Federal legal requirements that relate to those programs; 
(4) describe the activity to make clear that it legitimately fits 
within the exception of Sec.  99.31; (5) require the authorized 
representative to destroy PII from education records when the 
information is no longer needed for the purpose specified; (6) specify 
the time period in which the PII from education records must be 
destroyed; and (7) establish policies and procedures, consistent with 
FERPA and other Federal and State confidentiality and privacy 
provisions, to protect PII from education records from further 
disclosure (except back to the disclosing entity) and unauthorized use. 
The total estimated burden under this provision is 9,928 hours. 
Specifically, the burden for States under this provision is estimated 
to be 40 hours annually for each of the 103 State educational 
authorities in the various States and territories subject to FERPA (one 
for K-12 and one for postsecondary in each SEA). Assuming that each 
State authority handles the agreements up to 10 times per year with an 
estimated 4 hours per agreement, the total anticipated increase in 
annual burden would be 4,120 hours for this new requirement in OMB 
Control Number 1875-0246. In addition, the burden for large LEAs and 
postsecondary institutions (1,452 educational agencies and institutions 
with a student population of over 10,000) is estimated to be 4 hours 
annually. Assuming each large LEA and postsecondary institution handles 
the agreements up to 1 time per year with an estimated 4 hours per 
agreement, the total anticipated increase in annual burden for large 
LEAs and postsecondary institutions would be 5,808 hours for this 
requirement.

    Note: For purposes of the burden analysis for Sec.  99.35(a)(3), 
we estimate the burden on large LEAs and postsecondary institutions 
because we believe that estimating burden for these institutions 
captures the high-end of the burden estimate. We expect that burden 
for smaller LEAs and postsecondary institutions under Sec.  
99.35(a)(3) would be much less than estimated here.

Section 99.37(d)--Parental Notice of Disclosure of Directory 
Information (OMB Control Number 1875-0246)

    Section 99.37(d) requires any educational agency or institution 
that elects to implement a limited directory information policy to 
specify its policy in the public notice to parents and eligible 
students in attendance at the educational agency or institution. We do 
not expect this requirement to result in an additional burden for most 
educational agencies and institutions because educational agencies and 
institutions are already required under Sec.  99.37(a) to provide 
public notice of its directory information policy. However, the change 
reflected in amended Sec.  99.37(d) could result in a burden increase 
for an educational agency or institution that currently has a policy of 
disclosing all directory information and elects, under the new 
regulations, to limit the disclosure of directory information. The 
agency or institution would now be required to inform parents and 
eligible students that it has a limited directory information policy. 
The notice provides parents and eligible students with the opportunity 
to opt out of the disclosure of directory information. Additionally, 
many educational agencies and institutions include their directory 
information notice as part of the required annual notification of 
rights under Sec.  99.7, which is already listed as a burden and 
approved under OMB Control Number 1875-0246. These educational agencies 
and institutions, therefore, would not experience an increase in burden 
associated with the changes reflected in Sec.  99.37(d).

Assessment of Educational Impact

    In the NPRM, and in accordance with section 441 of the General 
Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on 
whether the proposed regulations would require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.
    Based on the response to the NPRM and on our review, we have 
determined that these final regulations do not require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.
    Accessible Format: Individuals with disabilities can obtain this 
document in an accessible format (e.g., braille, large print, 
audiotape, or compact disc) on request to the program contact person 
listed under FOR FURTHER INFORMATION CONTACT.
    Electronic Access to This Document: The official version of this 
document is the document published in the Federal Register. Free 
Internet access to the official edition of the Federal Register and the 
Code of Federal Regulations is available via the Federal Digital System 
at: http://www.gpo.gov/fdsys. At this site you can view this document, 
as well as all other documents of this Department published in the 
Federal Register, in text or Adobe Portable Document Format (PDF). To 
use PDF you must have Adobe Acrobat Reader, which is available free at 
the site.
    You may also access documents of the Department published in the 
Federal

[[Page 75641]]

Register by using the article search feature at: http://www.federalregister.gov. Specifically, through the advanced search 
feature at this site, you can limit your search to documents published 
by the Department.

(Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

    Administrative practice and procedure, Directory information, 
Education records, Information, Parents, Privacy, Records, Social 
Security numbers, Students.

    Dated: November 23, 2011.
Arne Duncan,
Secretary of Education.

    For the reasons discussed in the preamble, the Secretary amends 
part 99 of title 34 of the Code of Federal Regulations as follows:

PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY

0
1. The authority citation for part 99 continues to read as follows:

    Authority:  20 U.S.C. 1232g, unless otherwise noted.

0
2. Section 99.3 is amended by:
0
A. Adding, in alphabetical order, definitions for authorized 
representative, early childhood education program, and education 
program.
0
B. Revising the definition of directory information. The additions and 
revision read as follows:


Sec.  99.3  What definitions apply to these regulations?

* * * * *
    Authorized representative means any entity or individual designated 
by a State or local educational authority or an agency headed by an 
official listed in Sec.  99.31(a)(3) to conduct--with respect to 
Federal- or State-supported education programs--any audit or 
evaluation, or any compliance or enforcement activity in connection 
with Federal legal requirements that relate to these programs.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))

* * * * *
    Directory information means information contained in an education 
record of a student that would not generally be considered harmful or 
an invasion of privacy if disclosed.
    (a) Directory information includes, but is not limited to, the 
student's name; address; telephone listing; electronic mail address; 
photograph; date and place of birth; major field of study; grade level; 
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized 
activities and sports; weight and height of members of athletic teams; 
degrees, honors, and awards received; and the most recent educational 
agency or institution attended.
    (b) Directory information does not include a student's--
    (1) Social security number; or
    (2) Student identification (ID) number, except as provided in 
paragraph (c) of this definition.
    (c) In accordance with paragraphs (a) and (b) of this definition, 
directory information includes--
    (1) A student ID number, user ID, or other unique personal 
identifier used by a student for purposes of accessing or communicating 
in electronic systems, but only if the identifier cannot be used to 
gain access to education records except when used in conjunction with 
one or more factors that authenticate the user's identity, such as a 
personal identification number (PIN), password or other factor known or 
possessed only by the authorized user; and
    (2) A student ID number or other unique personal identifier that is 
displayed on a student ID badge, but only if the identifier cannot be 
used to gain access to education records except when used in 
conjunction with one or more factors that authenticate the user's 
identity, such as a PIN, password, or other factor known or possessed 
only by the authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *
    Early childhood education program means--
    (a) A Head Start program or an Early Head Start program carried out 
under the Head Start Act (42 U.S.C. 9831 et seq.), including a migrant 
or seasonal Head Start program, an Indian Head Start program, or a Head 
Start program or an Early Head Start program that also receives State 
funding;
    (b) A State licensed or regulated child care program; or
    (c) A program that--
    (1) Serves children from birth through age six that addresses the 
children's cognitive (including language, early literacy, and early 
mathematics), social, emotional, and physical development; and
    (2) Is--
    (i) A State prekindergarten program;
    (ii) A program authorized under section 619 or part C of the 
Individuals with Disabilities Education Act; or
    (iii) A program operated by a local educational agency.
* * * * *
    Education program means any program that is principally engaged in 
the provision of education, including, but not limited to, early 
childhood education, elementary and secondary education, postsecondary 
education, special education, job training, career and technical 
education, and adult education, and any program that is administered by 
an educational agency or institution.

(Authority: 20 U.S.C. 1232g(b)(3), (b)(5))

* * * * *

0
3. Section 99.31 is amended by:
0
A. Removing paragraph (a)(6)(iii).
0
B. Redesignating paragraph (a)(6)(ii) as paragraph (a)(6)(iii).
0
C. Adding a new paragraph (a)(6)(ii).
0
D. Revising the introductory text of newly redesignated paragraph 
(a)(6)(iii).
0
E. Revising the introductory text of newly redesignated paragraph 
(a)(6)(iii)(C).
0
F. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).
0
G. Revising paragraph (a)(6)(iv).
    The addition and revisions read as follows:


Sec.  99.31  Under what conditions is prior consent not required to 
disclose information?

    (a) * * *
    (6) * * *
    (ii) Nothing in the Act or this part prevents a State or local 
educational authority or agency headed by an official listed in 
paragraph (a)(3) of this section from entering into agreements with 
organizations conducting studies under paragraph (a)(6)(i) of this 
section and redisclosing personally identifiable information from 
education records on behalf of educational agencies and institutions 
that disclosed the information to the State or local educational 
authority or agency headed by an official listed in paragraph (a)(3) of 
this section in accordance with the requirements of Sec.  99.33(b).
    (iii) An educational agency or institution may disclose personally 
identifiable information under paragraph (a)(6)(i) of this section, and 
a State or local educational authority or agency headed by an official 
listed in paragraph (a)(3) of this section may redisclose personally 
identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of 
this section, only if--
* * * * *
    (C) The educational agency or institution or the State or local 
educational authority or agency headed by an official listed in 
paragraph (a)(3)

[[Page 75642]]

of this section enters into a written agreement with the organization 
that--
* * * * *
    (4) Requires the organization to destroy all personally 
identifiable information when the information is no longer needed for 
the purposes for which the study was conducted and specifies the time 
period in which the information must be destroyed.
    (iv) An educational agency or institution or State or local 
educational authority or Federal agency headed by an official listed in 
paragraph (a)(3) of this section is not required to initiate a study or 
agree with or endorse the conclusions or results of the study.
* * * * *


Sec.  99.33  [Amended]

0
4. Section 99.33 is amended by removing paragraph (e).
0
5. Section 99.35 is amended by:
0
A. Revising paragraph (a)(2).
0
B. Adding a new paragraph (a)(3).
0
C. Revising paragraph (b).
0
D. Revising the authority citation at the end of the section.
    The addition and revisions read as follows:


Sec.  99.35  What conditions apply to disclosure of information for 
Federal or State program purposes?

    (a) * * *
    (2) The State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) is responsible for using 
reasonable methods to ensure to the greatest extent practicable that 
any entity or individual designated as its authorized representative--
    (i) Uses personally identifiable information only to carry out an 
audit or evaluation of Federal- or State-supported education programs, 
or for the enforcement of or compliance with Federal legal requirements 
related to these programs;
    (ii) Protects the personally identifiable information from further 
disclosures or other uses, except as authorized in paragraph (b)(1) of 
this section; and
    (iii) Destroys the personally identifiable information in 
accordance with the requirements of paragraphs (b) and (c) of this 
section.
    (3) The State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) must use a written agreement to 
designate any authorized representative, other than an employee. The 
written agreement must--
    (i) Designate the individual or entity as an authorized 
representative;
    (ii) Specify--
    (A) The personally identifiable information from education records 
to be disclosed;
    (B) That the purpose for which the personally identifiable 
information from education records is disclosed to the authorized 
representative is to carry out an audit or evaluation of Federal- or 
State-supported education programs, or to enforce or to comply with 
Federal legal requirements that relate to those programs; and
    (C) A description of the activity with sufficient specificity to 
make clear that the work falls within the exception of Sec.  
99.31(a)(3), including a description of how the personally identifiable 
information from education records will be used;
    (iii) Require the authorized representative to destroy personally 
identifiable information from education records when the information is 
no longer needed for the purpose specified;
    (iv) Specify the time period in which the information must be 
destroyed; and
    (v) Establish policies and procedures, consistent with the Act and 
other Federal and State confidentiality and privacy provisions, to 
protect personally identifiable information from education records from 
further disclosure (except back to the disclosing entity) and 
unauthorized use, including limiting use of personally identifiable 
information from education records to only authorized representatives 
with legitimate interests in the audit or evaluation of a Federal- or 
State-supported education program or for compliance or enforcement of 
Federal legal requirements related to these programs.
    (b) Information that is collected under paragraph (a) of this 
section must--
    (1) Be protected in a manner that does not permit personal 
identification of individuals by anyone other than the State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) and their authorized representatives, except that the State 
or local educational authority or agency headed by an official listed 
in Sec.  99.31(a)(3) may make further disclosures of personally 
identifiable information from education records on behalf of the 
educational agency or institution in accordance with the requirements 
of Sec.  99.33(b); and
    (2) Be destroyed when no longer needed for the purposes listed in 
paragraph (a) of this section.
* * * * *

(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))



0
5. Section 99.37 is amended by:
0
A. Revising paragraph (c).
0
B. Redesignating paragraph (d) as paragraph (e).
0
C. Adding a new paragraph (d).
    The addition and revision read as follows:


Sec.  99.37  What conditions apply to disclosing directory information?

* * * * *
    (c) A parent or eligible student may not use the right under 
paragraph (a)(2) of this section to opt out of directory information 
disclosures to--
    (1) Prevent an educational agency or institution from disclosing or 
requiring a student to disclose the student's name, identifier, or 
institutional email address in a class in which the student is 
enrolled; or
    (2) Prevent an educational agency or institution from requiring a 
student to wear, to display publicly, or to disclose a student ID card 
or badge that exhibits information that may be designated as directory 
information under Sec.  99.3 and that has been properly designated by 
the educational agency or institution as directory information in the 
public notice provided under paragraph (a)(1) of this section.
    (d) In its public notice to parents and eligible students in 
attendance at the agency or institution that is described in paragraph 
(a) of this section, an educational agency or institution may specify 
that disclosure of directory information will be limited to specific 
parties, for specific purposes, or both. When an educational agency or 
institution specifies that disclosure of directory information will be 
limited to specific parties, for specific purposes, or both, the 
educational agency or institution must limit its directory information 
disclosures to those specified in its public notice that is described 
in paragraph (a) of this section.
* * * * *

0
6. Section 99.61 is revised to read as follows:


Sec.  99.61  What responsibility does an educational agency or 
institution, a recipient of Department funds, or a third party outside 
of an educational agency or institution have concerning conflict with 
State or local laws?

    If an educational agency or institution determines that it cannot 
comply with the Act or this part due to a conflict with State or local 
law, it must notify the Office within 45 days, giving the text and 
citation of the conflicting law. If another recipient of Department 
funds under any program administered by the Secretary or a third party 
to which personally identifiable information from education records has 
been non-

[[Page 75643]]

consensually disclosed determines that it cannot comply with the Act or 
this part due to a conflict with State or local law, it also must 
notify the Office within 45 days, giving the text and citation of the 
conflicting law.

(Authority: 20 U.S.C. 1232g(f))


0
7. Section 99.62 is revised to read as follows:


Sec.  99.62  What information must an educational agency or institution 
or other recipient of Department funds submit to the Office?

    The Office may require an educational agency or institution, other 
recipient of Department funds under any program administered by the 
Secretary to which personally identifiable information from education 
records is non-consensually disclosed, or any third party outside of an 
educational agency or institution to which personally identifiable 
information from education records is non-consensually disclosed to 
submit reports, information on policies and procedures, annual 
notifications, training materials, or other information necessary to 
carry out the Office's enforcement responsibilities under the Act or 
this part.

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))



0
8. Section 99.64 is amended by:
0
A. Revising paragraphs (a) and (b).
0
B. Revising the authority citation at the end of the section.
    The revisions read as follows:


Sec.  99.64  What is the investigation procedure?

    (a) A complaint must contain specific allegations of fact giving 
reasonable cause to believe that a violation of the Act or this part 
has occurred. A complaint does not have to allege that a violation is 
based on a policy or practice of the educational agency or institution, 
other recipient of Department funds under any program administered by 
the Secretary, or any third party outside of an educational agency or 
institution.
    (b) The Office investigates a timely complaint filed by a parent or 
eligible student, or conducts its own investigation when no complaint 
has been filed or a complaint has been withdrawn, to determine whether 
an educational agency or institution or other recipient of Department 
funds under any program administered by the Secretary has failed to 
comply with a provision of the Act or this part. If the Office 
determines that an educational agency or institution or other recipient 
of Department funds under any program administered by the Secretary has 
failed to comply with a provision of the Act or this part, it may also 
determine whether the failure to comply is based on a policy or 
practice of the agency or institution or other recipient. The Office 
also investigates a timely complaint filed by a parent or eligible 
student, or conducts its own investigation when no complaint has been 
filed or a complaint has been withdrawn, to determine whether a third 
party outside of the educational agency or institution has failed to 
comply with the provisions of Sec.  99.31(a)(6)(iii)(B) or has 
improperly redisclosed personally identifiable information from 
education records in violation of Sec.  99.33.
* * * * *

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f) and (g))



0
9. Section 99.65 is amended by revising paragraph (a) to read as 
follows:


Sec.  99.65  What is the content of the notice of investigation issued 
by the Office?

    (a) The Office notifies in writing the complainant, if any, and the 
educational agency or institution, the recipient of Department funds 
under any program administered by the Secretary, or the third party 
outside of an educational agency or institution if it initiates an 
investigation under Sec.  99.64(b). The written notice--
    (1) Includes the substance of the allegations against the 
educational agency or institution, other recipient, or third party; and
    (2) Directs the agency or institution, other recipient, or third 
party to submit a written response and other relevant information, as 
set forth in Sec.  99.62, within a specified period of time, including 
information about its policies and practices regarding education 
records.
* * * * *

0
10. Section 99.66 is revised to read as follows:


Sec.  99.66  What are the responsibilities of the Office in the 
enforcement process?

    (a) The Office reviews a complaint, if any, information submitted 
by the educational agency or institution, other recipient of Department 
funds under any program administered by the Secretary, or third party 
outside of an educational agency or institution, and any other relevant 
information. The Office may permit the parties to submit further 
written or oral arguments or information.
    (b) Following its investigation, the Office provides to the 
complainant, if any, and the educational agency or institution, other 
recipient, or third party a written notice of its findings and the 
basis for its findings.
    (c) If the Office finds that an educational agency or institution 
or other recipient has not complied with a provision of the Act or this 
part, it may also find that the failure to comply was based on a policy 
or practice of the agency or institution or other recipient. A notice 
of findings issued under paragraph (b) of this section to an 
educational agency or institution, or other recipient that has not 
complied with a provision of the Act or this part--
    (1) Includes a statement of the specific steps that the agency or 
institution or other recipient must take to comply; and
    (2) Provides a reasonable period of time, given all of the 
circumstances of the case, during which the educational agency or 
institution or other recipient may comply voluntarily.
    (d) If the Office finds that a third party outside of an 
educational agency or institution has not complied with the provisions 
of Sec.  99.31(a)(6)(iii)(B) or has improperly redisclosed personally 
identifiable information from education records in violation of Sec.  
99.33, the Office's notice of findings issued under paragraph (b) of 
this section--
    (1) Includes a statement of the specific steps that the third party 
outside of the educational agency or institution must take to comply; 
and
    (2) Provides a reasonable period of time, given all of the 
circumstances of the case, during which the third party may comply 
voluntarily.

(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))



0
11. Section 99.67 is revised to read as follows:


Sec.  99.67  How does the Secretary enforce decisions?

    (a) If an educational agency or institution or other recipient of 
Department funds under any program administered by the Secretary does 
not comply during the period of time set under Sec.  99.66(c), the 
Secretary may take any legally available enforcement action in 
accordance with the Act, including, but not limited to, the following 
enforcement actions available in accordance with part D of the General 
Education Provisions Act--
    (1) Withhold further payments under any applicable program;
    (2) Issue a complaint to compel compliance through a cease and 
desist order; or
    (3) Terminate eligibility to receive funding under any applicable 
program.
    (b) If, after an investigation under Sec.  99.66, the Secretary 
finds that an educational agency or institution, other

[[Page 75644]]

recipient, or third party has complied voluntarily with the Act or this 
part, the Secretary provides the complainant and the agency or 
institution, other recipient, or third party with written notice of the 
decision and the basis for the decision.
    (c) If the Office finds that a third party, outside the educational 
agency or institution, violates Sec.  99.31(a)(6)(iii)(B), then the 
educational agency or institution from which the personally 
identifiable information originated may not allow the third party found 
to be responsible for the violation of Sec.  99.31(a)(6)(iii)(B) access 
to personally identifiable information from education records for at 
least five years.
    (d) If the Office finds that a State or local educational 
authority, a Federal agency headed by an official listed in Sec.  
99.31(a)(3), or an authorized representative of a State or local 
educational authority or a Federal agency headed by an official listed 
in Sec.  99.31(a)(3), improperly rediscloses personally identifiable 
information from education records, then the educational agency or 
institution from which the personally identifiable information 
originated may not allow the third party found to be responsible for 
the improper redisclosure access to personally identifiable information 
from education records for at least five years.
    (e) If the Office finds that a third party, outside the educational 
agency or institution, improperly rediscloses personally identifiable 
information from education records in violation of Sec.  99.33 or fails 
to provide the notification required under Sec.  99.33(b)(2), then the 
educational agency or institution from which the personally 
identifiable information originated may not allow the third party found 
to be responsible for the violation access to personally identifiable 
information from education records for at least five years.

(Authority: 20 U.S.C. 1232g(b)(4)(B) and (f); 20 U.S.C. 1234c)


    Note:  The following appendices will not appear in the Code of 
Federal Regulations.

BILLING CODE 4000-01-P

[[Page 75645]]

[GRAPHIC] [TIFF OMITTED] TR02DE11.062


[[Page 75646]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.063


[[Page 75647]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.064


[[Page 75648]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.065


[[Page 75649]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.066


[[Page 75650]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.067


[[Page 75651]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.068


[[Page 75652]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.069


[[Page 75653]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.070


[[Page 75654]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.071


[[Page 75655]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.072


[[Page 75656]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.073


[[Page 75657]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.074


[[Page 75658]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.075


[[Page 75659]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.076


[[Page 75660]]


[GRAPHIC] [TIFF OMITTED] TR02DE11.077

[FR Doc. 2011-30683 Filed 12-1-11; 8:45 am]
BILLING CODE 4000-01-C