By Mary S. Gerbig
The Family Educational Rights and Privacy Act (FERPA), first enacted in 1974, is the federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education (DOE).
On March 24, 2008, the Department of Education (DOE) published proposed changes to FERPA regulations. The proposed changes are largely in response to recent legislation such as the USA Patriot Act, several U.S. Supreme Court decisions; advances in technology and corresponding identify theft issues; and increasing violence on school campuses. A common theme in the school violence cases has been the recognition by the DOE that the health and safety exceptions have been applied too narrowly by educational institutions. The proposed regulations are intended to clarify and broaden the scope of the health and safety exceptions. The DOE sought comments and input on the proposed rule changes through May 8, 2008. Enactment of the final regulations is anticipated in late November or early December, 2008.
Below are some of the Highlights of the Recently Proposed Regulations:
Directory Information
- May include a student’s user ID if the electronic identifier cannot be used to gain access to education records.
Disclosure to Party Creating Record
- Excludes from the definition of disclosure the release or return of an education record to the party that provided or created the record.
Education Records
- Excludes records that are created or received after an individual is no longer a student in attendance and are not directly related to the individual’s attendance as a student.
Personally Identifiable Information
- Includes biometric record.
- Removes language about personal characteristics.
- Includes other information that is linked or linkable to a specific student that would allow a reasonable person in the school or its community to identify the student.
Disclosure to Parents
- Clarifies that an eligible student’s parents are appropriate parties to whom an educational institution may disclose personally identifiable information from education records without consent in a health or safety emergency.
Disclosure to Third Parties Working on Behalf of School
- Clarifies and expands the school official’s exception to include contractors, consultants, volunteers and other outside parties to whom an educational agency or institution has outsourced institutional services.
Access to Education Records by School Officials
- Use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests.
Disclosure to a School Where Student Seeks or Intends to Enroll
- May disclose without consent to another institution if the disclosure is for purposes related to the student’s enrollment or transfer.
Redaction of Information
- Provide objective standards for disclosing redacted documents.
Authentication of Identity
- Use reasonable methods to identify and authenticate the identity of person seeking records.
- May use password or PIN with user name.
- Single-factor authentication may not be reasonable for protecting access to information such as social security numbers.
Health and Safety Emergencies
- Take into account the totality of the circumstances.
- May disclose information if there is an articulable and significant threat to the health or safety of a student or other individuals.
Enforcement
- Specifies materials (such as policies, procedures, annual notifications, and training materials) that the FERPA enforcement office may require an educational institution to submit within the course of an investigation of FERPA violations.
In the light of the proposed regulations, and the interplay with the state pupil records law, we recommend a review of your pupil record policies and procedures for the 2008-09 school year. Contact Mary Gerbig at mgerbig@dkattorneys.com or your Davis and Kuelthau, s.c. attorney if you have questions regarding pupil records.