NAICU Washington Update

Dept. Ed Issues Final FERPA Regulations

December 20, 2011

The Department of Education has issued final regulations on the Family Education and Rights and Privacy Act (FERPA).  As issued December 2, they remain relatively unchanged from the proposed regulations issued earlier this year. (See Washington Update, April 11 and June 14.)  Of the approximately one dozen changes made, only three were identified by the Department as being "substantive":

  • Including in FERPA the definition of "early education program" currently included in the Higher Education Act;
  • Expanding the definition of "education program" to include any program that is administered by an educational agency or institution - so that programs like bullying, substance abuse, and violence prevention can be included in the expanded information-sharing envisioned by the regulations; and
  • Adding provisions to the written agreement governing the broader sharing of personal information from education records. These additional provisions provide for a description of the information that will be shared, and how it is intended to be used.

Once the regulations take effect January 3, more information from student education records will be made available to a larger number of individuals and entities engaged in audit, evaluation, or enforcement/compliance activities.  Proponents of robust longitudinal data systems have lauded the expansion as facilitating the tracking of a student's progress from pre-school through college - and perhaps beyond.

At the same time, this expansion will reduce student privacy and increase the risk of data breaches.  It will also reduce the control individuals have over their education records.  While FERPA permits parents and eligible students to review and seek to amend their educational records held by a school, that opportunity doesn't extend to information held by the third parties that will now have access to the information.

The Department is relying heavily on written agreements to protect student privacy and data security as student data becomes more widely available.  However, the regulations require few specific contractual safeguards, and don't provide for additional enforcement activities.  That responsibility will largely fall on those entering into the written agreements - guided by a set of non-binding "best practices" described in Appendix A of the Federal Register. (The appendix will not be included in the Code of Federal Regulations, but may be found on pages 75645-54 of the December 2, 2011, Federal Register.)

MORE News from NAICU