The Family Educational Rights and Privacy Act of 1974 (FERPA) (also known as the Buckley Amendment)

20 U.S.C. § 1232g; 34 C.F.R. § 99.1 et seq.

Regulates the keeping and dissemination of student records at all institutions that receive federal funds or who have students receiving federal funds. Procedures must be in place to allow a student access to student records. Consent must be obtained to release student records to a third party, with certain exceptions contained in the law. Directory information may be released without permission of the student unless the student has specifically requested that said information not be released. Types of information that may be disclosed as directory information include: student's name, degrees and awards received, address, most recent previous institution attended, phone number, participation in officially recognized sports, activities, date and place of birth, dates of attendance, major fields of study, e-mail address, class schedule, full- or part-time status, and photograph. Information which may not be released as directory information includes social security number, race/ethnicity or gender. Each institution must have its own policy as to what constitutes directory information, and notify students of same. Students must be granted a hearing to challenge information in a record they believe is incorrect. Students must be informed of their rights under this law. For a model notification policy for postsecondary schools see the Model Notification of Rights under FERPA for Postsecondary Institutions. College officials with a legitimate educational interest in the record may have access to it. Records of disclosures and requests for disclosure must be kept, as well as indicate specifically the legitimate interest that each such person has in obtaining the information. Records need not be kept when the request was from the student or accompanied by written consent from the student, from a faculty or school official who was granted access, a subpoena prohibiting disclosure to the student, or for directory information.

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Health Records Issued November 2008 jointly by the U.S. Departments of Education and Health and Human Services. The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule at elementary and secondary levels, as well as at the postsecondary level and addresses many of the questions raised by school officials, health care professionals, and others regarding the applicability of these two laws to records maintained on students. It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

Changes made by the Higher Education Opportunity Act

Effective August 14, 2009 institutions will be required to (upon written request) disclose to the alleged victim (or next of kin) of a crime of violence or a nonforcible sex offense, the final results of any institutional disciplinary proceeding dealing with the crime or offense. See the NAICU HEA 101 Quick Guide on this provision. This is subject to negotiated rulemaking.

Final FERPA Regulations, 73 Fed. Reg. 74805 Dec. 9th, 2008

In a very lengthy document the Department of Education issued the final FERPA regulations which put into code a number of changes and clarifications to the law on student education record privacy. Some of the guidance is simply a clarification of best practices, and a reiteration of stances already taken by the Family Policy Compliance Office in Dear Colleague Letters. The changes clarify disclosures in a health and safety emergency, removing strict construction of this exception, and allowing disclosure if there is an articulable and significant threat to the health or safety of a student or other individual. If so, the information necessary may be disclosed to parents or any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. Schools must record information concerning the circumstance of the emergency.

The definition of *attendance* is clarified to include new technology methods of attending, and now reads: Attendance includes, but is not limited to-- (a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and (b) The period during which a person is working under a work-study program.

In a change that will make life easier for information technology personnel, among others, the Dept. of Education clarified that a unique student identifier (but not an SSN) may be treated as directory information under the FERPA regulations as long as the identifier cannot be used to access records or communicate electronically without one or more additional factors to authenticate the user's identity. The guidance notes that an institution may decide to make students' electronic identifiers and email addresses available within the institution but not release them to the general public as directory info.

The regulations incorporate the Supreme Court decision in Owasso v. Falvo and clarify that education record does not include grades on peer graded papers before they are collected and recorded by a teacher (i.e. maintained by the institution). The department reiterates earlier guidance on how to ascertain whether or not a student is a dependent. The school may rely upon the student's assertion as to dependent status and a model form has been developed to assist the school in obtaining this information.

Of special interest to many schools will be the new text and preamble on outsourcing. Prior consent is not required to disclose education record information to a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions. The contractor, consultant or volunteer may be considered a school official under this paragraph provided that the outside party--

  1. Performs an institutional service or function for which the agency or institution would otherwise use employees
  2. Is under the direct control of the agency or institution with respect to the use and maintenance of education records
  3. Is subject to the requirements of Sec. 99.33(a) governing the use and redisclosure of personally identifiable informationfrom education records

The preamble notes "Exercising direct control could prove more challenging in some situations than others." While the phrase *direct control* was kept in the final regulations, the Dept. does seem to aim to strike a balance when discussing direct control in the preamble. Best practices in this area will likely develop over time.

Schools will need to look at how they plan to document decisions on sharing information under the health and safety emergency. Schools should note that they must put in each student's record the list of State and local educational authorities and Federal officials and agencies that may make further disclosure of the student's education record without consent.

The regulations take effect January 8th, 2009. For a full write up of the regulations, see the article titled Education Dept. Releases New Rules on Student-Privacy Law, Giving Colleges More Room for Judgment by Sara Lipka published in the December 19th, 2008 Chronicle of Higher Education. The Dept. of Education also has the Final Regulations posted in PDF on their web page.

See also the Drinker Biddle January 2009 Education Alert titled US Dept. of Education Issues FERPA Final Rule and New Guidance on FERPA-HIPAA Relationship.

Clarification by FPCO on Disclosure of Information from Education Records to Parents of Postsecondary Students:

Posted Summer 2007: Guidance Clarifying that FERPA does allow release of information to parents of college students when the student is a dependent for tax purposes; in a health or safety emergency, in certain drug and alcohol incidents, and in addition, may disclose law enforcement records to anyone when the records kept by the campus security office are kept solely for law enforcement purposes. The guidance also notes as follows:

Nothing in FERPA prohibits a school official from sharing with parents information that is based on that official's personal knowledge or observation and that is not based on information contained in an education record. Therefore, FERPA would not prohibit a teacher or other school official from letting a parent know of their concern about their son or daughter that is based on their personal knowledge or observation.

Final Regulations on FERPA and Electronic Signatures
69 Fed. Reg. 21670, April 21, 2004

Over the years the Department of Education has received numerous inquiries as to whether some form of electronic consent and signature, including email, satisfies FERPA's written consent requirement. These final regulations are technology neutral and offer some guidance on when schools may accept electronic signatures from students for release of education records to third parties. The DOE plans to issue further guidance that will include examples of what might be an acceptable process under the regulations. The final regulations adopted by the Department of Education on electronic signatures provide as follows:

Sec. 99.30 Under what conditions is prior consent required to disclose information?

  • "Signed and dated written consent" under this part may include a record and signature in electronic form that--
  • Identifies and authenticates a particular person as the source of the electronic consent
  • Indicates such person's approval of the information contained in the electronic consent

This languages differs from the proposed regulations issued in July of 2003 to some extent. The difference in the final rule is due to the rapidly changing nature of technology, the desire to grant as much flexibility as possible to educational institutions in light of changing technology, the need to not impose standards on elementary and secondary schools that are more suitable only to postsecondary schools, and the need to conform the defintion to other recent federal government publications on electronic signatures. Schools should not assume that the deletion of language to secure and verify the integrity of the consent in transmission and upon receipt does away with this requirement, which might be said to be implicit in any sound systemt for electronic signatures. The regulation was issued by the Office of Innovation and Improvement of the Department of Education, the Office that oversees the Family Policy Compliance Office.

The process used for electronic student loan transactions (FSA standards) is maintained as a safe harbor even though there were complaints that use of this standard was confusing as the two transactions in question are very different. The appendix to the regulations states as follows:

We agree that some circumstances within the FSA Standards do not relate directly to FERPA. While schools are not required by FERPA to follow the FSA Standards, we believe that schools may use the set-up and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA. We do not plan to issue a separate FERPA standards document, but we will clarify these items in additional guidance.

The final rule also notes that schools are not bound to use the safe harbor system. A cautionary note (below) is inserted about Gramm Leach Bliley (GLB) and the additional privacy restrictions imposed on postsecondary institutions under GLB.

Thus, while schools have the maximum flexibility in choosing a system that meets FSA's ``safe harbor'' provisions or another process for authenticating Personal Identification Number (PIN) numbers under FERPA, postsecondary institutions should keep these other Federal requirements in mind when implementing such systems.

HIPAA and FERPA: An FPCO letter clarifies the exemption

Feb. 25, 2004 letter from Family Policy Compliance Office affirming that health information in education records covered by FERPA are excluded from coverage of the HIPAA Privacy Rule (45 C.F.R Parts 160, 164, Subparts A,E. The question arose in the context of release of student immunization records to the the Alabama Department of Public Health. Under HIPAA, a student's health records, maintained by an educational institution, are protected under FERPA rather than falling under the purview of HIPAA, therefore HIPAA neither authorizes or prohibits the release of immunization records, and release to a state agency must come under an exemption in FERPA, such as the health and safety emergency provision.

The Campus Sex Crimes Prevention Act and FERPA

FERPA is amended (§ 1232g(b)(7)(A)) by the Campus Sex Crimes Prevention Act (Pub. L. No. 106-386; 42 U.S.C. § 14071) to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law. The Campus Sex Crimes Prevention Act requires sex offenders who must register under state law to provide notice of enrollment or employment at any institution of higher education (IHE) in that state where the offender resides, as well as notice of each change of enrollment or employment status at the IHE. In turn, this information will be made available by the state authorities to the local law enforcement agency that has jurisdiction where the IHE is located. As of October 27, 2002, the IHE must issue a statement (under the reporting requirements in 20 U.S.C. § 1092(f)(1)) advising the campus community as to where information concerning registered sex offenders can be obtained. FERPA is amended to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law.

See the Family Policy Compliance Office guidance entitled Disclosure of Education Records Concerning Registered Sex Offenders. The guidance states in relevant part:

Thus, nothing in FERPA prevents an educational institution from disclosing information provided to the institution under the Wetterling Act concerning registered sex offenders, including personally identifiable, non-directory information from education records that is disclosed without prior written consent or other consent from the person. The authority of educational institutions to make such disclosures extends both to information about registered sex offenders made available by a State in carrying out the specific requirements of the CSCPA (42 U.S.C. § 14071(j)), and information about registered sex offenders that may otherwise become available to educational institutions through the operation of State sex offender registration and community notification programs.