The Department of Education (Department) recently released regulations modifying numerous provisions the Family Educational Rights and Privacy Act (FERPA). Like FERPA, the regulations govern the privacy of personally identifiable information in student education records and apply to all educational institutions that receive federal funding. The regulations address four issues: (1) permissible disclosures, (2) security measures, (3) revised definitions, and (4) enforcement. Specific, key regulations address health and safety emergencies, third party contractors, security measures, and the statutory definition of "personally identifiable information."
Permissible Disclosure: Health or Safety Emergencies
Pursuant to FERPA, an institution can disclose, without consent, a student's personally identifiable information to any appropriate party in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or others.
-
Now, in making determinations under this exception, an institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or others. Previously, the health or safety exception had been strictly construed.
-
The institution needs only to determine that there is an articulable and significant threat to the health or safety of an individual or others before disclosing the information. The institution only needs to have a rational basis for its disclosure.
Permissible Disclosure: Outside Parties Who Qualify as School Officials
FERPA currently allows non-consensual disclosure of personal information to school officials within the institution.
-
The "school official" exception has expanded and now includes contractors, consultants, volunteers, and other outside parties under the direct control of the institution with respect to use of education records and subject to the same conditions governing the use and redisclosure of personal information that apply to all school officials. These outside contractors, if designated as "school officials," can now receive information from education records without student consent.
Security Measures: Control and Safeguarding of Education Records
Institutions must now use reasonable methods to ensure that school officials obtain access to only those records in which they have a legitimate educational interest.
Although not an enforceable regulation, the "Department Recommendations for Safeguarding Education Records," encourage institutions to:
-
Consider actions reasonably calculated to protect information and mitigate the risk of disclosure, and use any method or reasonable technology to do so;
-
Consult (1) the National Institute of Standards and Technology 800-100 Information Security Handbook and publication 800-53 on Information Security and (2) a May 22, 2007 memorandum from the Federal agency heads to the Office of Management and Budget regarding information safeguards and breach management;
-
After an unauthorized disclosure: (1) report the incident to law enforcement; (2) determine what information was compromised, how the incident occurred, whether it was due to a lack of oversight, and whether institutional polices were breached; (3) take steps to retrieve the data and prevent further disclosure; (4) identify all affected records and students; (5) conduct a risk assessment to identify appropriate prevention measures; and (6) notify students of the Department's website describing steps to take as a possible victim of identity theft.
The Department doesn't require an institution to notify students that their information was subject to theft or unauthorized release.
Revised Definition: Personally Identifiable Information
Personally identifiable information now includes:
-
Information "linked or linkable" to a specific student that would allow a reasonable person in the school community to identify a student with reasonable certainty;
-
Information requested by a person who the institution reasonably believes knows the identity of the student to whom the educational records relates;
-
Biometric records, which are biological or behavioral characteristics that can be used for automated recognition, such as fingerprints, retina or iris patterns, voiceprints, a DNA sequence, facial characteristics, or handwriting; and
-
Indirect identifiers, such as date and place of birth and mother's maiden name.
The new regulations contain numerous additional changes that both increase and decrease the regulatory burden of educational institutions. For more information on FERPA and the revised regulations, see the
Department's FERPA website and its
section-by-section analysis of the new regulations.