U.S. Department of Education Issues New Regulations to the Family Educational Rights and Privacy Act

On December 2, 2011, the U.S. Department of Education issued new regulations to the Family Educational Rights and Privacy Act ("FERPA") to help ensure that student information continues to be protected as more education records are digitized and shared electronically.  These new regulations are effective January 3, 2012. 

The new regulations amend the definition of "directory information" and provide school districts with the option of adopting a limited directory information policy.  "Directory information" includes things that are not usually considered to be an invasion of privacy if disclosed (e.g., name, address, date of birth).  School districts are required to (1) provide annual notification to parents and students of the types of information designated as directory information and (2) inform parents and students of their right to opt out of having the child's information designated as directory information and disclosed as such.

Under the current FERPA regulations, directory information includes, among other items, a student ID number, user ID or other unique personal identifier used by a student for accessing or communicating via electronic systems if that identifier cannot be used, except in conjunction with a PIN, password or other factor known only by an authorized user, to access education records.  In response to confusion regarding whether parents have the right to opt out of having their child wear an ID card or name badge, the new regulations permit school districts to require students to wear or display ID cards and badges which have a student ID number or unique personal identifier so long as that identifier or number cannot be used, except in conjunction with a PIN, password or other factor known only by an authorized user, to access education records.

In addition, school districts may now adopt a limited directory information policy which specifies that disclosure of directory information will be limited to specific parties, for specific purposes, or both.  If a school district adopts a limited directory information policy, the annual notification to parents and students must specify such policy.

In an effort to allow non-educational agencies easier access to students' personally identifiable information to evaluate the education programs they administer, the Department of Education has now defined the terms "authorized representative," "education program," and "early childhood education program."     

Under the new regulations, state and local educational authorities must enter into written agreements with (1) organizations conducting studies for, or on behalf of, schools, school districts or post-secondary institutions regarding the disclosure of personally identifiable information, and (2) authorized representatives of the Comptroller General, the Attorney General, the Secretary of Education, and state or local educational authorities for the audit or evaluation of federal- or state-supported education programs.  The new regulations set forth a number of items that must be included in these written agreements, including provisions requiring the destruction of the personally identifiable information and the time period in which the personally identifiable information will be destroyed. 

Finally, the new regulations provide the Department of Education with stronger, more specific enforcement authority over educational agencies, educational institutions, and/or third parties that are found to violate FERPA.