Transcript Slide 1

FERPA: Requirements
Under the New
Regulations
Steven A. Spillan, Esq.
[email protected]
Brustein & Manasevit, PLLC
Spring 2012 Forum
1
1
FERPA: Quick Overview
• Family Educational Rights and Privacy
Act (FERPA)
• Education Records
• Directory Information
• Prohibition on Disclosure of Records
• Prior Written Consent Rule & Exceptions
• Right to Access and Inspect
2
2
FERPA Origin and History
• Section 513 of the Education Amendments of
1974
(P.L. 93-380) (aka “Buckley Amendment”)
• Later codified at 20 U.S.C. § 1232g (Section
444 of the General Education Provisions Act)
• Regulations are located in 34 C.F.R. Part 99
3
3
Basic FERPA Responsibilities
 Educational agency or institution may not
disclose personally identifiable information
within education records to third-parties without
prior written consent of the parent or eligible
student
(with exceptions) – 20 U.S.C. § 1232g(b).
 Educational agency must permit the parent or
eligible student to inspect and review all
education records unless such right has been
waived (with exceptions) – 20 U.S.C. § 1232g(a).
4
4
Basic FERPA Responsibilities (cont.)
• Parent or eligible student has the right to request the correction of
education records which they believe to be inaccurate or misleading
(with limitations) – 34 C.F.R. 99.20.
• Designating directory information – 34 C.F.R. 99.3.
• Educational agency must provide annual notification of rights – 34
C.F.R. 99.7.
5
5
• Any “educational agency or institution” that
receives funds under any program administered
by the U.S. Department of Education if:
• (1) The educational institution provides educational services
or instruction, or both, to students; or
• (2) The educational agency is authorized to direct and control
public elementary or secondary, or postsecondary educational
institutions.
6
6
Who has FERPA rights?
• Eligible students or parent(s)
• Rejected applicant does not have FERPA
rights
• Student accepted for admission at a school
but who ultimately does not attend – no
FERPA rights
• Employees of schools – no FERPA rights
7
7
Education Records
• Education records include, but are not limited to:
•
•
•
•
•
•
Student GPAs and transcripts; final course grades
Admissions materials
Financial aid records
Disciplinary records
Attendance records
Academic counseling records
• Personally identifiable information within the
above documents cannot be disclosed unless (1)
directory information, (2) prior written consent,
or (3) an exception to general rule
8
8
New FERPA Rules
• ED proposed new regulations on April 8, 2011
• Final Rules posted on December 2, 2011
• Allow State educational authorities to enter into agreements
with research organizations for studies that are for one or
more of the enumerated purposes under FERPA, such as
studies to improve instruction
• Specific requirements for written agreements allowing
access to education records in connection with an audit or
evaluation
9
9
Final Rules - Major Clarification
• ED may investigate, review, and process complaints filed
against, or alleged violations of FERPA committed by,
any recipient of ED funds under a program administered
by the Secretary
• Not just educational agencies and institutions
• ED may hold any such recipient accountable for
compliance with FERPA
10
10
Directory Information
• FERPA allows information designated as
“directory information” to be disclosed (without
consent) under two conditions:
• Annual notification of right to opt out of the disclosure
• Opportunity to opt out of the disclosure
• Pre-2008 regulations – Did not explicitly state
whether student’s Social Security Number (SSN),
student ID number or personal identifier for use
in electronic systems could be considered
directory information (and disclosed)
11
11
Directory Information (cont.)
Current Regulations:
• SSN and other student ID numbers cannot be designated
directory information
• School may designate a user ID or unique identifier (not an SSN)
used by the student to access or communicate within electronic
systems under the condition that:
o
The user ID or other unique identifier cannot permit access to
education records except when combined with other authenticating
information known only to the student (such as a password or
separate PIN)
12
12
Directory Information Recent Issues
• Can student information organized by GPA be considered
directory information for FERPA purposes?
• 2001 FPCO Ruling:
• There is no exception that permits an educational agency or
institution to publicly disclose personally identifiable information,
including the student's grades and portions of the student's social
security number, from the education records of students
• If seeking the highest GPA’s could be considered an honor or
award, which can be directory info.
13
Personally Identifiable Information
• Personally identifiable information includes but
is not limited to:
•
•
•
•
The student's name;
The name of the student's parent or other family members;
The address of the student or student's family;
A personal identifier, such as the student's social security number,
student number, or biometric record;
14
14
Personally Identifiable Information (cont.)
• Other indirect identifiers, such as date/place of birth,
mother's maiden name;
• Information that is linked or linkable to a specific
student that would allow a reasonable person in the
school community, to identify the student with
reasonable certainty; or
• Information requested by a person who the educational
agency or institution reasonably believes knows the
identity of the student to whom the education record
relates.
15
15
Prohibition on Disclosure of SSN
•
Amended in 2008:
• Institutions and educational agencies are strictly
prohibited from designating SSNs as directory
information under any circumstances (without
written consent)
16
16
“De-Identification” of Information
• Sets forth objective standards (“reasonable
person” standard) for whether information
released would make the student easily
identifiable
• Recognizes that re-identification risk of any
release of redacted records is cumulative
(because of new technology)
• Requires educational agencies and institutions
to apply a consistent de-identification strategy
for all data releases of a similar type
17
17
Opt Out of Directory Information:
Class Disclosures of Information
In-
• Student may not use the right to opt of directory
information to prevent disclosure or prevent
requiring a student to disclose his/her name,
electronic ID number, or institutional e-mail
address in a class where he/she is enrolled (“the
right to opt out of directory information
disclosures does not include a right to remain
anonymous in class”)
18
18
Opt Out of Directory Information:
Former Students
• Student’s opt-out decision is indefinite, unless the
student rescinds the decision at a later date
19
19
Disclosure of Personally Identifiable
Information: Outsourcing
ED has issued policy letters regarding the use of private
contractors and other third parties providing services and
functions to educational agencies and institutions:
• Use of contractors for developing and maintaining
longitudinal data systems – allowable disclosure under
FERPA (under the “authorized agents” exception, as
long as the contractors have “legitimate educational
interests”)
• Use of other state agency officials as “authorized
agents” in maintaining state longitudinal systems – not
allowable – lack of “direct control” by educational
agency
20
20
Disclosure of Personally Identifiable
Information: Outsourcing (cont.)
• Explicitly allows that a contractor, consultant, volunteer, or other party
to whom an agency or institution has outsourced institutional services
or functions may be considered a school official, as long as the third
party is:
• Performing services or functions that the institution would otherwise
use its own employees to perform
• Under “direct control” of the educational agency or institution with
respect to use and maintenance of education records (slight change
from proposed regulations)
• Subject to the same conditions governing the use and redisclosure of
education records that apply to other school officials
• Agency or institution that outsources must provide notice of outside
parties in its annual FERPA notification (by specifying their contractors,
consultants, and volunteers retained)
21
21
Disclosure of Personally Identifiable
Information: Outsourcing (cont.)
• Records directly related to a student that are maintained by a third
party (under this exception) acting for an agency or institution are
subject to all FERPA requirements (steps into the place of the
agency or institution)
• Institution is responsible for a third party’s failure to comply with
FERPA requirements (in the event the third party discloses
information without an exception or student consent)
• The proposed rules supersede any previous technical assistance
guidance issued by ED on the use of contractors
22
22
Disclosure to Organizations
Conducting Studies
• Institution must enter into written agreement with
recipient organization that specifies the purpose of
the study
• Institution does not have to agree with or endorse
the conclusions or results of the study
23
23
Disclosure to Organizations
Conducting Studies (cont.)
• Written agreement must include provisions:
• Designating the individual or entity as an authorized
representative;
• Specifying the information to be disclosed and that the purpose
for which the information is disclosed to the authorized
representative is for the purposes of carrying out an audit or
evaluation of federal- or State- supported education programs,
or to enforce or to comply with federal legal requirements that
relate to those programs;
• Requiring the authorized representative to destroy or return to
the State or local educational authority or agency PII from
education records when the information is no longer needed for
the purpose specified;
24
24
Disclosing to Organizations Conducting
Studies (cont.)
• Specifying the time period in which the information
must be returned or destroyed;
• Establishing policies and procedures consistent with
FERPA and other federal and State confidentiality and
privacy provisions to protect PII from education records
from further disclosure (except back to the disclosing
entity) and unauthorized use, including limiting use of
PII to only authorized representatives with legitimate
interests; and
• Describing the activity with sufficient specificity to make
clear that the work falls within the audit exception,
including a description of how the PII from education
records will be used.
25
Disclosures for Auditing Purposes
• Authorized representatives of:
•
•
•
•
The Comptroller General of the United States;
The Attorney General of the United States;
The Secretary; or
The State and local educational authorities.
• May have access to education records in connection with an
audit or evaluation of Federal or State supported education
programs, or for the enforcement of, or compliance with,
Federal legal requirements that relate to those programs.
26
Disclosure for Auditing Purposes
• What About OIG?
• For example:
• DOL OIG wants access to education records for audit of an
entity’s WIA program. Can an institution make such a disclosure?
• Inspector General Act gives OIG authority to conduct audits
• OIG is not listed in FERPA rule exceptions
• Institutions may want to get a ruling from either DOL or FPCO
before turning over education records.
27
Disclosure Regarding
Originating Party
• Disclosure does not include returning an
education record (containing personally
identifiable information) to the party identified
as having provided or created the record
• Allows institutions to verify the authenticity of
diplomas, transcripts, letters of
recommendation, and other student information
(without prior consent) from the relevant
institution
28
28
Disclosure to Prospective School
• An exception to the written consent requirements if the
disclosure is “to officials of another school, school system, or
institution of postsecondary education where the student
seeks or intends to enroll, or where the student is already
enrolled so long as the disclosure is for purposes related to
the student's enrollment or transfer.”
• Still requires notification
29
29
Disclosure to Prospective School
(cont.)
• Some schools maintain “blanket consortium agreements”
• Allows students to take courses at multiple institutions toward
the same degree or certificate, without notifying students every
time records are disclosed between institutions.
• So long as annual notification specifies that the institution will
make such disclosures, individual notifications are not
required.
30
Disclosure under the Campus Sex
Crimes Prevention Act
• The Campus Sex Crimes Prevention Act amended the
FERPA statute to permit institutions to disclose
information regarding registered sex offenders provided
to the institution by the State (receipt must be through
the proper State registry or community notification
program)
• FERPA Rules
• Clarify that Campus Sex Crimes Prevention Act applies to all
educational institutions, including elementary and secondary
schools
• Note that FERPA neither requires or encourages an educational
agency or institution to collect or maintain information on sex
offenders
31
31
Disclosure under the Clery Act
• Jeanne Clery Disclosure of Campus Security Policy and
Campus Crime Statistics Act requires postsecondary
institutions to inform accuser and accused of any final
disciplinary decision related to an alleged sex offense
• FERPA Regulations
• Prohibit postsecondary institutions from forcing the accuser to
sign a non-disclosure agreement as a condition of releasing the
results of a final disciplinary decision
32
32
Disclosure to Parents
of Postsecondary Students
• FERPA rights either belong to the parent(s) or the eligible
student (students 18 or older, or attending a postsecondary
institution)
• FERPA Regulations - Clarify that an educational agencies
and institutions may disclose student information to the
parents:
• If the student is a dependent for Federal tax purposes (applies to 18
year-old high school students and postsecondary students)
• In the case of a health or safety emergency
• If the student is under the age of 21 and has violated an institutional
rule or policy governing the use or possession of alcohol or a
controlled substance
33
33
Disclosures for Health and Safety
Emergency
Following VA Tech Shootings, FERPA Rules were updated to:
• Allow the institution to take into account the totality of the
circumstances at the time pertaining to the threat
• If the institution determines that there is an “articulable
and significant threat,” it may disclose information (from
education records) to any person whose knowledge of
the information is necessary to protect the health and
safety of the student and other individuals
• If the institution has a “rational basis” for its
determination, ED will not retroactively substitute its
judgment in evaluating the decision
34
34
Alumni Exception
• Exclusion covers records that concern an individual or events that
occur after the individual is no longer a student in attendance, such
as alumni activities
• Exclusion is not intended to cover records that are created and
matters that occur after an individual is no longer in attendance but
that are directly related to previous attendance as a student
• Records such as settlement agreements and disciplinary decisions
that concern matters that arose while the individual was in
attendance as a student (even if they are created after the
student’s enrollment) do not fit within the exception
35
35
Access to Education Records
by School Officials
• Educational agencies or institutions must use reasonable methods to
ensure that teachers and other school officials obtain access to only
education records in which they have a legitimate interest
• The approach must be a combination of appropriate physical,
technical, administrative and operational controls
• If physical or technological controls are not used, policies and
procedures must be effective in limiting access to appropriate staff
• Reasonableness of controls depends upon usual and customary good
practices, requiring ongoing review and modification
36
36
Confirming the Identity of the
Party Receiving the Disclosure
• Must use reasonable methods to identify and authenticate
the identity of the recipient before providing information
• Must have usual and customary good business practices,
which require ongoing review and modification of
procedures when necessary
• Must reduce the risk of unauthorized disclosure to a level
that is commensurate with the likely threat and potential
harm from wrongful disclosure
37
37
Subpoenas and Judicial Orders
• A third-party that has received personally identifiable
information from education records from an educational
agency or institution, must provide notice to the parent or
eligible student before it rediscloses the records in compliance
with a judicial order or subpoena (with some exceptions for
law enforcement subpoenas and court orders)
• This rule clarifies which party is responsible for notification
before information is provided pursuant to the judicial order
or subpoena (the old regulations are ambiguous as to whether
the onus falls upon the institution or the third-party recipient)
38
38
Definition of Attendance
• 2008: FERPA Rules updated to keep up with alternative
methods of instructions (online, etc.)
• Definition of “attendance” would include students attending
via videoconference, satellite, Internet, or other electronic
information and telecommunications technologies for
students not physically present in the classroom
39
39
Peer-Graded Assignments
• FERPA Rules:
• Aligns the regulations with the U.S. Supreme
Court’s reasoning in Owasso v. Falvo
• States that peer-graded papers that have not been
collected by the teacher are not considered
“maintained by” the institution and thus, are not
education records covered by FERPA
40
40
FPCO Enforcement Investigation
and Enforcement Powers
• Applies the U.S. Supreme Court’s reasoning in Gonzaga University
v. Doe regarding private causes of action and FPCO’s investigation
power
• The formal complaint does not need to allege a FERPA violation was
caused by a policy or procedure; only an alleged violation is
required
• Allows FPCO to request an institution to provide a written response
and any other relevant information
• Allows FPCO to issue a finding of a FERPA violation without finding
that the violation constituted a policy or practice of the institution
• Specifies that the Secretary may take any appropriate enforcement
action in addition to the specifically listed actions in the regulations
41
41
Recordkeeping Requirements
• Requirements for redisclosures
• A state or local educational authority or federal official or agency that
further discloses information from education records must record the
names of the additional parties to which it discloses, and the parties’
legitimate interests in the information.
• A state or local educational authority, or Federal official or agency, that
records further disclosures of information may maintain the record by the
student’s class, school, district or other appropriate grouping rather than
by the name of the student. This is intended to address instances when
disclosures are made for all student records, such as entering student
data into a state longitudinal data system. The new regulation is an
attempt to lessen administrative burdens (according to USDE).
42
Recordkeeping Requirements
(cont.)
• Upon a school’s request, a state or local educational authority or
federal official or agency that maintains a record of further
disclosures must provide a copy of the record of the further
disclosures to the school within 30 days.
• Educational agencies and institutions must list in each student’s
record of disclosures the names of the state and local
educational authorities and Federal officials or agencies that may
further disclose information on behalf of the educational agency
or institution.
• A school must obtain a copy of the record of further disclosures
maintained by a state or local educational authority, or Federal
official or agency, and make it available in response to a parent’s
or student’s request to review the student’s record of
disclosures.
43
Questions?
44
44
This presentation is intended solely to
provide general information and does
not constitute legal advice.
Attendance at the presentation or
later review of these printed materials
does not create an attorney-client
relationship with Brustein &
Manasevit, PLLC. You should not take
any action based upon any
information in this presentation
without first consulting legal counsel
familiar with your particular
circumstances.
45
45