Family Educational Rights and Privacy Act

Document Sample
Family Educational Rights and Privacy Act Powered By Docstoc
                                                                                           April 21, 2004

                                                                                           Part V

                                                                                           Department of
                                                                                           34 CFR Part 99
                                                                                           Family Educational Rights and Privacy
                                                                                           Act; Final Rule

VerDate mar<24>2004   22:43 Apr 20, 2004   Jkt 203001   PO 00000   Frm 00001   Fmt 4717   Sfmt 4717   E:\FR\FM\21APR3.SGM   21APR3
     21670             Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004 / Rules and Regulations

     DEPARTMENT OF EDUCATION                                 Government Paperwork Elimination Act                      Changes: We have revised these
                                                             (GPEA), Public Law 105–277, Title XVII,                regulations to be consistent with other
     34 CFR Part 99                                          Section 1710.                                          Federal Government standards for
     RIN 1855–AA00                                             Electronic signatures are an area of                 ‘‘electronic signatures.’’
                                                             rapidly evolving technology. These                     Executive Order 12866
     Family Educational Rights and Privacy                   modified regulations provide more fluid
     Act                                                     and flexible standards for schools that                  We have reviewed these final
                                                             choose to implement a process for                      regulations in accordance with
     AGENCY:  Office of Innovation and                       accepting electronic signatures. These                 Executive Order 12866. Under the terms
     Improvement; Department of Education.                   modified regulations permit schools to                 of the order we have assessed the
     ACTION: Final regulations.                              take advantage of changing technology                  potential costs and benefits of this
                                                             as it may become available, whether the                regulatory action.
     SUMMARY: The Secretary amends 34 CFR                                                                             The potential costs associated with
                                                             change concerns additional security
     part 99 to implement the Department’s                                                                          these final regulations are those
                                                             provisions or enhanced customer
     interpretation of the Family Educational                                                                       resulting from statutory requirements
     Rights and Privacy Act (FERPA)                                                                                 and those we have determined to be
     identified through administrative                       Analysis of Comments and Changes                       necessary for administering this
     experience as necessary for proper                                                                             program effectively and efficiently.
                                                                In response to the Secretary’s
     program operation. These final                                                                                   In assessing the potential costs and
                                                             invitation in the NPRM, 16 parties
     regulations provide general guidelines                                                                         benefits—both quantitative and
                                                             submitted comments on the proposed
     for accepting ‘‘signed and dated written                                                                       qualitative—of these final regulations,
                                                             regulations. We publish an analysis of
     consent’’ under FERPA in electronic                                                                            we have determined that the benefits of
                                                             the comments and of the changes in the
     format.                                                                                                        the regulations justify the costs.
                                                             regulations since publication of the
     DATES:   These regulations are effective                NPRM as an appendix at the end of                      Summary of Potential Costs and
     May 21, 2004.                                           these final regulations. We discuss                    Benefits
     FOR FURTHER INFORMATION CONTACT:                        substantive issues under the sections of                 We summarized the potential costs
     Kathleen Wolan, U.S. Department of                      the regulations to which they pertain.                 and benefits of these final regulations in
     Education, 400 Maryland Avenue, SW.,                    Generally, we do not address technical                 the preamble to the NPRM (68 FR
     room 2W115, Washington, DC 20202–                       and other minor changes and suggested                  44421).
     5901. Telephone: (202) 260–3887.                        changes the law does not authorize the
        If you use a telecommunications                      Secretary to make. However, we have                    Paperwork Reduction Act of 1995
     device for the deaf (TDD), you may call                 reviewed these regulations since                         These regulations do not contain any
     the Federal Information Relay Service                   publication of the NPRM and have made                  information collection requirements.
     (FIRS) at 1–800–877–8339.                               changes as follows:
        Individuals with disabilities may                                                                           Assessment of Educational Impact
                                                                Acceptance of signature in electronic
     obtain this document in an alternative                  form (§ 99.30)                                           In the NPRM we requested comments
     format (e.g., Braille, large print,                        Comments: None.                                     on whether the proposed regulations
     audiotape, or computer diskette) on                        Discussion: Electronic formats for                  would require transmission of
     request to the contact person listed                    signatures and documents are changing                  information that any other agency or
     under FOR FURTHER INFORMATION                           rapidly and substantially in response to               authority of the United States gathers or
     CONTACT.                                                evolving technologies and public                       makes available.
                                                                                                                      Based on the response to the NPRM
     SUPPLEMENTARY INFORMATION: On July                      acceptance. We wish to provide the
                                                                                                                    and on our review, we have determined
     28, 2003, the Secretary published a                     widest possible flexibility for schools to
                                                                                                                    that these final regulations do not
     notice of proposed rulemaking (NPRM)                    adapt to such changes yet retain a
                                                                                                                    require transmission of information that
     for this amendment in the Federal                       methodology that operates within
                                                                                                                    any other agency or authority of the
     Register (68 FR 44420). In the preamble                 FERPA’s requirements for proper
                                                                                                                    United States gathers or makes
     to the NPRM, we invited interested                      disclosure of education records. Because
     persons to submit comments concerning                   FERPA applies to educational agencies
     the proposed change. We proposed to                     and institutions at all levels, we do not              Electronic Access to This Document
     add § 99.30(d) in order to provide                      want these regulations to inadvertently                   You may view this document, as well
     general guidelines for educational                      impose standards on elementary and                     as all other Department of Education
     agencies and institutions that choose to                secondary schools that may be valid                    documents published in the Federal
     meet the requirements of § 99.30 with                   only for postsecondary schools under                   Register, in text or Adobe Portable
     records and signatures in electronic                    Federal student aid programs.                          Document Format (PDF) on the Internet
     format.                                                    Based on our review of standards                    at the following site:
        We reviewed guidance for electronic                  acceptable to other areas of the Federal               news/fedregister.
     signatures recently published by a                      Government, including OMB circulars                       To use PDF you must have Adobe
     variety of Federal Government sources,                  and Federal Student Aid (FSA)                          Acrobat Reader, which is available free
     including the Office of Management and                  guidance for electronic student loan                   at this site. If you have questions about
     Budget (OMB), the General Services                      transactions, as well as standards                     using PDF, call the U.S. Government
     Administration, and the National                        established by laws such as the                        Printing Office (GPO), toll free, at 1–
     Institute for Standards and Technology.                 Electronic Signatures in Global and                    888–293–6498; or in the Washington,
     Based on that review and comments                       National Commerce Act (E–Sign) and                     DC, area at (202) 512–1530.
     received from school officials, we                      GPEA, we believe these modified                           You may also find these regulations,
     believe it is necessary to modify these                 regulations will more easily permit                    as well as additional information about
     final regulations. We modified these                    schools to adapt to changing standards                 FERPA, on the following Web site:
     regulations to reflect the definition of                in the areas of electronic signatures and    
     ‘‘electronic signature’’ established in the             documents.                                             fpco/index.html.

VerDate mar<24>2004   22:43 Apr 20, 2004   Jkt 203001   PO 00000   Frm 00002   Fmt 4701   Sfmt 4700   E:\FR\FM\21APR3.SGM   21APR3
                       Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004 / Rules and Regulations                                              21671

        Note: The official version of this document            Change: None.                                        process for authenticating Personal
     is the document published in the Federal                                                                       Identification Number (PIN) numbers under
     Register. Free Internet access to the official          Specific Methodologies                                 FERPA, postsecondary institutions should
     edition of the Federal Register and the Code               Comments: Several commenters asked for              keep these other Federal requirements in
     of Federal Regulations is available on GPO              more specific guidance on authentication               mind when implementing such systems.
     Access at:               methods and technologies that may be used.               Change: None.
     index.html.                                                Discussion: As explained in the preamble
                                                             to the NPRM, the regulations are                       Applicability of FSA Standards
     (Catalog of Federal Domestic Assistance
                                                             purposefully narrow in scope and intended                 Comments: One commenter stated that it
     Number does not apply.)
                                                             to be technology-neutral (page 44420). While           was confusing to apply the situations and
     List of Subjects in 34 CFR Part 99                      we will issue additional guidance that will            terminology in the FSA Standards to FERPA.
                                                             include further examples of an acceptable              The commenter suggested that we issue a
       Administrative practice and                           process, we do not want to limit the                   separate guide on FERPA standards.
     procedure, Education, Information,                      flexibility of schools in this area of rapid              Discussion: The FSA Standards do not
     Parents, Privacy, Records, Reporting and                technological change.                                  apply directly to FERPA because some
     recordkeeping requirements, Students.                      Change: None.                                       actions are imposed only on lenders or
       Dated: April 2, 2004.                                                                                        borrowers of financial aid. For example, the
                                                             Safe Harbor                                            FSA Standards require that paper copies of
     Rod Paige,                                                 Comments: Several commenters support                transactions be provided to a student
     Secretary of Education.                                 the use of the FSA standards for electronic            borrower at no cost in some circumstances,
     I For the reasons discussed in the                      signatures in electronic student loan                  and lenders are required to obtain a
     preamble, the Secretary amends part 99                  transactions (FSA Standards) as a ‘‘safe               borrower’s specific consent to conduct loan
                                                             harbor’’ provision for acceptance of                   transactions electronically. Neither of those
     of title 34 of the Code of Federal
                                                             electronic signatures in FERPA. Several other          circumstances has parallels within FERPA.
     Regulations as follows:                                 commenters objected to the FSA Standards as               We agree that some circumstances within
     I 1. The authority citation for part 99
                                                             being too rigorous for the perceived level of          the FSA Standards do not relate directly to
     continues to read as follows:                           risk of improper disclosure. The FSA                   FERPA. While schools are not required by
       Authority: 20 U.S.C. 1232g, unless                    Standards may be viewed on the Internet at             FERPA to follow the FSA Standards, we
     otherwise noted.                                        the following site:            believe that schools may use the set-up and
     I 2. Section 99.30 is amended by adding                 dpcletters/gen0106.html.                               security measures described in the FSA
                                                                Discussion: The preamble to the NPRM                Standards, particularly sections 3 through 7,
     a new paragraph (d) to read as follows:
                                                             stated (page 44421) that the FSA Standards             as guidance for security measures in a system
     § 99.30 Under what conditions is prior                  would be the ‘‘safe harbor’’ provision. A ‘‘safe       using electronic records and signatures under
     consent required to disclose information?               harbor’’ is not set at the minimally acceptable        FERPA. We do not plan to issue a separate
                                                             level of security. Due to the nature of the            FERPA standards document, but we will
     *     *     *     *    *                                information that may be disclosed and the              clarify these items in additional guidance.
       (d) ‘‘Signed and dated written                        potential harm a student may suffer from an               Change: None.
     consent’’ under this part may include a                 unauthorized disclosure, we believe the ‘‘safe
     record and signature in electronic form                 harbor’’ provision is not unduly rigorous.             Use of ‘‘Trusted Third Party’’ in Identification
     that—                                                   Schools retain the flexibility to choose to            Verification
       (1) Identifies and authenticates a                    implement a system that meets the ‘‘safe                  Comments: A commenter expressed a
     particular person as the source of the                  harbor’’ provisions or to choose to implement          belief that disclosure by a school of student
     electronic consent; and                                 another system to meet the new FERPA                   information without prior written consent to
       (2) Indicates such person’s approval                  provisions.                                            a ‘‘trusted third party’’ as part of an
     of the information contained in the                        However, schools should be reminded that            identification verification process may be in
     electronic consent.                                     Congress has also, through the Gramm-Leach-            violation of FERPA. This commenter stated
                                                             Bliley Act (GLB) (Pub.L. 106–102, November             that the conflict arises because the FSA
     Appendix                                                12, 1999), imposed additional privacy                  Standards specify that the third party may
                                                             restrictions on financial institutions, which          not be an agent of the school.
     Analysis of Comments and Changes                        include postsecondary institutions, requiring             Discussion: FSA authenticates student
       Note: The following appendix will not                 institutions to protect against unauthorized           identification information with the Social
     appear in the Code of Federal Regulations.              access to, or use of, consumer records. The            Security Administration as a ‘‘trusted third
                                                             Federal Trade Commission’s (FTC) rule on               party.’’ FERPA’s consent provisions do not
     Use at Multiple School Levels                           the privacy of consumer financial                      apply to transactions between a student and
        Comments: One commenter asked whether                information provides that postsecondary                FSA.
     the proposed regulations apply only to                  institutions that are complying with FERPA                In situations where a school is disclosing
     eligible students at postsecondary                      to protect the privacy of their student                education records to a third party, FERPA’s
     institutions.                                           financial aid records will be deemed in                consent provisions apply. When the third
        Discussion: FERPA gives the right to                 compliance with the FTC’s rule. (65 FR                 party receiving the information from the
     consent to disclosure of education records to           33646, 33648 (May 24, 2000)). This                     school is not an agent for the school, FERPA
     parents of minor children at the elementary             exemption applies to notice requirements               generally requires a school to obtain prior
     and secondary school levels, and to parents             and the restrictions on a financial                    written consent before the disclosure is
     of children with disabilities who receive               institution’s disclosure of nonpublic personal         made. Receipt of the prior consent would
     services under Part B or Part C of the                  information to nonaffiliated third parties in          then allow a school to disclose personal
     Individuals with Disabilities Education Act             Title V of GLB. However, postsecondary                 information for authentication purposes with
     (IDEA). When a student turns 18 years of age            institutions are not exempt from the FTC               the records of independent sources such as
     or attends a postsecondary institution at any           final rule implementing section 501 of GLB             credit reporting agencies or testing
     age, the student is considered an ‘‘eligible            on Safeguarding Customer Information. (67              companies.
     student’’ under FERPA. The right to consent             FR 368484 (May 23, 2002)). Financial                      Schools may also choose to use other
     under FERPA transfers under either of those             institutions, including postsecondary                  processes to authenticate identity. For
     two conditions from the parent to the eligible          institutions, are required to have adopted an          example, a school may require the eligible
     student. Although the term ‘‘eligible student’’         information security program by May 23,                student to present photographic
     will be used throughout this document,                  2003, under the FTC rule.                              identification issued by a government
     educational agencies and institutions at all               Thus, while schools have the maximum                agency. Such photographic identification
     levels may use these regulations to accept              flexibility in choosing a system that meets            includes, but is not limited to, a State-issued
     electronic signatures.                                  FSA’s ‘‘safe harbor’’ provisions or another            driver’s license, a federally-issued passport,

VerDate mar<24>2004   22:43 Apr 20, 2004   Jkt 203001   PO 00000   Frm 00003   Fmt 4701   Sfmt 4700   E:\FR\FM\21APR3.SGM   21APR3
     21672             Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004 / Rules and Regulations

     and other Military, Federal, or State-issued            disclosure of an eligible student’s own                Portability and Accountability Act of 1996
     identification cards.                                   records to the student. A school that wishes           (HIPAA) Privacy Rule for ‘‘protected health
       Change: None.                                         to use its current system for situations where         information’’ be applied to personally
                                                             FERPA consent is required must determine               identifiable information contained in
     Issuing a PIN or Password                               whether it provides the required level of              students’ education records. The commenter
        Comments: One commenter stated that                  security.                                              was concerned because personally
     schools that issue a PIN to students as                    The majority of the systems mentioned by
                                                                                                                    identifiable information from students’
     outlined in the FSA Standards can result in             the commenters are designed for
     a PIN that is recorded and accessible to                communication between a school and an                  education records are disclosed by
     school officials. The commenter is concerned            eligible student. Systems that permit eligible         educational agencies and institutions to
     that this conflicts with FERPA policy that a            students to view, alter, or update the                 outside third parties who have grants to do
     PIN is not acceptable for use under FERPA               student’s own records by electronic means              research. The commenter stated that
     if persons other than the student have access           are not the subject of these regulations. A            educational agencies and institutions do not
     to the PIN.                                             school must ensure that the eligible student           recognize the concern for privacy of such
        Discussion: The process described in the             and not some other party is the receiver of            data.
     FSA Standards does not permit school                    the information, but the method a school                  Discussion: The HIPAA Privacy Rule,
     officials to access a student’s PIN or                  uses to do so is not prescribed by these               which is administered by the Department of
     password. In addition, the FSA Standards                regulations.                                           Health and Human Services, excludes from
     permit an eligible student to change an                    Change: None.                                       the definition of ‘‘protected health
     assigned password or PIN to one of their own                                                                   information’’ two categories of records that
                                                             Third-Party Presentation of Electronic
     choosing. Under the FSA Standards, all of                                                                      are relevant here: ‘‘education records’’
     the passwords or PINs, whether assigned or
                                                                Comments: Several commenters asked                  covered by FERPA (34 CFR 99.3 ‘‘Education
     student-selected, are maintained in a secure
                                                             whether the proposed regulations are                   records’’) and records described under
     database in an encrypted manner that is not
     generally accessible to school officials or             applicable when a third party, not the                 FERPA’s medical treatment records provision
     other parties.                                          eligible student, presents the electronic              (34 CFR 99.3 ‘‘Education records’’). See 45
        A school that uses a similar methodology             signature claimed to be that of the eligible           CFR 160.103(a). The HIPAA Privacy Rule
     would remain in compliance with                         student. Two commenters expressed strong               does not cover such records because
     requirements for the acceptance of an                   support for acceptance of electronic                   Congress, through FERPA, specifically has
     electronic signature under FERPA. However,              signatures presented by third parties,                 addressed how these records should be
     a school may not use a PIN or password                  primarily when the third party is a                    protected. As such, FERPA provides ample
     process that results in a PIN or password that          government entity or another educational               protections for these records and schools
     is visible and easily accessible to persons             agency or institution.
                                                                                                                    should ensure that health information, as
                                                                Discussion: Educational agencies and
     other than the eligible student because that                                                                   well as other education records on students,
                                                             institutions are responsible to ensure that
     type of process results in an insecure PIN or                                                                  are not disclosed to outside third parties
                                                             education records are disclosed only in
     password. Schools retain the maximum                                                                           without the consent of the student or under
                                                             accordance with FERPA. Any disclosure of
     flexibility to implement any appropriate                                                                       one of the exceptions to FERPA’s general
                                                             education records to a third party, even in
     methodology.                                            accordance with a student’s consent, is                prior consent rule.
        Change: None.                                        permitted but not required under FERPA.                   With regard to the commenter’s statement
     Use of Current Systems                                  Each agency or institution must have the               that educational agencies and institutions do
                                                             flexibility to decide whether a request for            not recognize the concern for privacy of
        Comments: Several commenters asked
                                                             disclosure meets the requirements of FERPA             student information, it has been our
     whether it is acceptable to use existing                and whether the institution wishes to make
     systems that include sign-on capability, such                                                                  experience that the majority of the Nation’s
                                                             the requested disclosure.                              schools do comply with FERPA and strive to
     as campus e-mail, admissions, enrollment,                  The FERPA regulations do not require that
     and fee payment systems. Several                                                                               protect the privacy of information contained
                                                             an eligible student provide his or her consent         in student records. FERPA is not a public
     commenters also asked if it is acceptable to            directly to the educational agency or
     permit eligible students to provide notice of                                                                  open records or freedom of information
                                                             institution, and these regulations do not
     directory information opt-outs by use of                                                                       statute. Rather, the purpose of FERPA is to
                                                             impose a different requirement for electronic
     electronic signatures.                                  signatures. We would support an agency’s or            protect the privacy interests of parents and
        Discussion: As explained in the preamble             institution’s decision to only accept                  eligible students in records maintained by
     to the NPRM, the requirements for an                    electronic signatures presented on behalf of           educational agencies and institutions on the
     electronic signature apply in circumstances             the eligible student by certain third parties,         student. These privacy concerns should not
     where a signed and dated written consent is             such as Federal or State agencies.                     be viewed as barriers to be minimized and
     required under FERPA (page 44420). Such                    Change: None.                                       overcome but important public safeguards to
     consent is generally required under FERPA                                                                      be protected and strengthened.
     when information from education records is              Application of Standards of Other Privacy
                                                                                                                       Change: None.
     to be disclosed to a third party, as in the             Laws
     issuance of a transcript to a prospective                 Comments: One commenter suggested that               [FR Doc. 04–9054 Filed 4–20–04; 8:45 am]
     employer. Consent is not a requirement for              the standards of the Health Insurance                  BILLING CODE 4000–01–P

VerDate mar<24>2004   22:43 Apr 20, 2004   Jkt 203001   PO 00000   Frm 00004   Fmt 4701   Sfmt 4700   E:\FR\FM\21APR3.SGM   21APR3

Description: The Secretary amends 34 CFR part 99 to implement the Department’s interpretation of the Family Educational Rights and Privacy Act (FERPA) identified through administrative experience as necessary for proper program operation. These final regulations provide general guidelines for accepting ‘‘signed and dated written consent’’ under FERPA in electronic format.