New Privacy Rules Address Outsourcing, Safety Concerns
January 16, 2009
The Department of Education released revised regulations implementing the Family Educational Rights and Privacy Act (FERPA) in December. The lengthy notice is designed to clear up confusion in several areas, including emergencies and the use of contractors or volunteers with access to student records. The revisions also update the regulations to take into account current technologies, two Supreme Court rulings interpreting FERPA, and statutory changes. The revised rules took effect on January 8.
Outsourcing. Under FERPA, personally identifiable information may be disclosed to other school officials with legitimate educational interests without prior approval or following recordkeeping requirements. Recognizing that institutional services are often outsourced, ED has sought in this revision to clarify the application of FERPA to contractors, volunteers, and other third parties. The regulations did not previously address the issue of individuals or entities doing work for an institution who were not employed by the institution. Under the revised rules, third parties will be considered “other school officials” if certain conditions are met.
The new language in §99.31 (beginning in paragraph (B) below) reads:
(a) An educational agency or institution may disclose personally identifiable information from an education record of a student without the consent required by §99.30 if the disclosure meets one or more of the following conditions:
(1)(i)(A) The disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests.
(B) A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party--
(1) Performs an institutional service or function for which the agency or institution would otherwise use employees;
(2) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
(3) Is subject to the requirements of §99.33(a) governing the use and redisclosure of personally identifiable information from education records.
(ii) An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section.
The preamble to the final rules provides considerable discussion of this provision, as did the notice of proposed rulemaking (NPRM).
Note: According to discussion in the NPRM, an "institution that has not included contractors and other outside service providers as school officials with legitimate educational interests in its annual FERPA notification may not disclose any personally identifiable information from education records to these parties until it has complied with the notice requirements in §99.7(a)(3)(iii)."
Health or Safety Emergencies. ED has made significant changes to the provision allowing disclosure of information to parents or other parties if necessary to protect the health or safety of a student or others. ED has abandoned the former "strict construction" standard of this exception, affording institutions considerably more leeway to determine whether an emergency exists and the appropriate response measures. The new provision at §99.36 reads:
(c) In making a determination under paragraph (a) of this section, an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.
ED defended these changes in response to comments expressing concern over the liberalization of the exception, but did decide to add a requirement under §99.32(a)(5) that institutions maintain a record of the threat, the circumstances that led to the determination that a health or safety emergency existed, and how the disclosure was justified.
Directory Inforrmation. Under long-standing FERPA rules, an institution may release directory information without the specific consent of students if it has provided public notice to students of its intentions. The revised rules now explicitly exclude social security numbers and student identification numbers from the definition of directory information. An exception is provided for a student ID number, user ID, or other personal identifier used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records without a PIN or other authentication factors.
Disclosure. The definition of disclosure is amended so that providing information from an education record to the party identified as the source of the information does not count as a disclosure. This would allow an institution to confirm the veracity of information with the purported originator.
Alumni Records. The rules clarify that records created or received by an institution after an individual ceases to be a student are not educational records covered by FERPA, unless they directly pertain to the individual’s attendance as a student.
Registered Sex Offenders. ED has simplified the proposed language allowing the disclosure of information on registered sex offenders to the campus community. The provision in §99.31(a)(16) now simply allows disclosure of any information provided to the institution under the Wetterling Act (42 USC 14071).
A number of other issues are also addressed in the regulations and discussed in the introduction to the final rules. The Campus Legal Information Clearinghouse, maintained by the Catholic University of America and the American Council on Education, provides a number of useful documents to help institutions comply, including a list of actions needed.
- December 9 Federal Register notice, final regulations
- March 24 Federal Register notice of proposed rulemaking
- ED’s Family Policy Compliance Office
- Campus Legal Information Clearinghouse
- National Association of College and University Attorneys
NACUBO Contact: Anne C. Gross, vice president, regulatory affairs, 202.861.2544
- NACUBO Expresses Concerns with ED Proposal to Expand Federal Financial Responsibility Rules
- IRS Proposes Modifications to 1098-T Reporting
- ED Policy to Require Annual Student Aid Compliance Audits Beginning FY17
- 2016 Planning and Budgeting Forum
September 19-20, 2016
- 2016 Big Opportunities for Small Institutions
September 20-21, 2016
- 2016 Tax Forum
September 25-27, 2016
- ON-DEMAND: The CBO's Role in Diversity and Inclusion on Campus
- ON-DEMAND: The Clery Act: Strategic Planning to Mitigate Institutional Risk
- ON-DEMAND: Title IX: Key Issues Surrounding Institutional Compliance
- ON-DEMAND: NACUBO Live! Higher Education Accounting Forum
- ON-DEMAND: Responsibility Center Management: Two Different Perspectives