PROPOSED FERPA REGULATIONS

1. PROPOSED FERPA REGULATIONS Data Quality Campaign Webinar April 14, 2011 Steven Y. Winnick EducationCounsel LLC 202-545-2913 steve.winnick@educationcounsel.com

2. Proposed FERPA Regulations OUTLINE • New Proposed FERPA Regulations • Purpose of the Proposed Regulations • FERPA Background • Broader Access to Student Data at the State (and Local) Level for Evaluation & Research • New Privacy Safeguards • Directory Information • Open/Unresolved Issues • Conclusion

3. I. New Proposed FERPA Regulations • USED on April 8, 2011 published proposed amendments to FERPA regulations. • The due date for public comments is May 23, 2011. • The regulations will be legally effective only after they are issued in final form.

4. II. Purpose of the Proposed Regulations • The purpose of the proposed regulations is to facilitate fuller access for research and evaluation purposes to student data in state longitudinal data systems (SLDSs), while at the same time enhancing privacy protections applicable to the use of these data. • USED committed in regulations issued to implement the American Recovery and Reinvestment Act of 2009 (ARRA) to issue revised FERPA regulations based on concerns that FERPA as then interpreted had a chilling effect on states' ability to implement data system mandates under the ARRA.

5. II. Purpose of the Proposed Regulations (cont.) • The proposed regulations also clarify and expand the scope of USED's authority to enforce FERPA and address issues related to the scope and disclosure of directory information.

6. III. FERPA Background Applicability and Scope • FERPA applies principally to educational agencies and institutions (postsecondary institutions, schools, and school districts) that receive grant funds from the U.S. Department of Education (USED). • FERPA prohibits educational agencies and institutions from disclosing students' education records without written parental consent, unless the disclosure comes within one or more of a list of authorized disclosures in the law. • Once a student reaches 18 years of age or is attending a postsecondary institution, the consent required of and the rights accorded to parents under FERPA accrue to the student. ("Eligible Student")

7. III. FERPA Background (cont.) Applicability and Scope (cont.) • FERPA prohibits disclosure of personally identifiable information in students' education records. • FERPA 2008 regulations define "personally identifiable information" to include: • Information that alone or in combination would allow a reasonable person in the school community to identify the student with reasonable certainty, and • Information requested by a person who the education agency or institution reasonably believes knows the identity of the student to whom the education record relates. • "Education records" subject to FERPA are broadly defined to include records, files, and other materials directly related to a student and maintained by an educational agency or institution or by a person acting for it.

8. III. FERPA Background (cont.) Implications for State Longitudinal Data Systems (SLDSs) • Although USED has never withheld federal funds based on a FERPA violation, the law has had a significant chilling effect on the development of robust SLDSs. • There has been considerable misunderstanding about what the law forbids. • In interpreting FERPA, USED in the past did not generally seek to balance privacy protections with the need to use student data to improve education and did not accommodate the need to use data in state longitudinal data systems.

9. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research Broadening Representatives that May Receive Data for Evaluation/Audit • Subject to privacy safeguards, the proposed regulations authorize state and local education officials (without written parent consent) to disclose personally identifiable student data to any designated entity or person for the purpose of evaluating, auditing or enforcing federal compliance with state- or federal-supported education programs. • This reverses longstanding USED interpretation that data could be disclosed only to employees or private contractors of education agencies, not to workforce or other state or local non-education agencies. • It also for the first time permits education agencies to store their data in a state or local data agency that is not itself an education agency. • Significance: The effect of the proposed change would be to authorize education agencies, subject to privacy safeguards discussed below, to store/disclose data in/to workforce and other non-education agencies to match the education and other data in order to evaluate education programs. Currently, the non-education data have to be transmitted to the education agency and matched under its supervision.

10. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research (cont.) Disclosing Postsecondary Data to K-12 systems/agencies • The proposed regulations authorize postsecondary institutions or data systems to disclose student data back to K-12 data systems or school districts for the purpose of evaluating how well the district had prepared students for college. • USED's previous interpretation, expressed in the preamble to 2008 regulations, was that data could be disclosed under the evaluation/audit provision in FERPA only for the purpose of evaluating/auditing programs of the agency disclosing the data. • The proposed regulations would also permit K-12 agencies or data systems to disclose data back to publicly funded early childhood education programs to determine how well the programs had prepared children for elementary school.

11. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research (cont.) Disclosing Postsecondary Data to K-12 systems/agencies (cont.) • Significance: USED's new interpretation— • Enables the principal purpose for disclosing postsecondary data back to K-12 agencies and data systems; namely, to evaluate how well districts and secondary schools prepared students for college, by looking at enrollment, persistence, remediation rates, and success of former secondary students in postsecondary education. • Has parallel significance for data disclosures from K-12 agencies back to public early childhood education agencies. • Aligns FERPA with ARRA provisions that require states to use data for these purposes.

12. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research (cont.) Scope of Education Programs Subject to Evaluations and Audits • The proposed regulations broadly define "education programs" that may be the subject of an evaluation or audit as the basis for disclosures under FERPA. • The definition includes any program principally engaged in education, including, among other programs, early childhood education, career and technical education, and job training, whether or not the program is administered by an educational agency or institution. • Significance: Student data could be disclosed to authorized representatives designated by a state or local education authority for the purpose of evaluating head start programs or early childhood education programs or job training programs administered by non-education agencies.

13. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research (cont.) State or local education agency disclosures for research • The proposed regulations provide that nothing in FERPA prevents a state or local education authority from redisclosing data on behalf of educational agencies or institutions for a research study. • Subject to an agreement with the research organization protecting use of data. • Preamble recognizes that state educational agencies (including for higher ed) typically have implied authority to perform/provide for research on behalf of schools in state.

14. IV. Broader Access to Student Data At the State (and Local) Level for Evaluation and Research (cont.) State or local education agency disclosures for research (cont.) • Significance: This provision would for the first time make the research provision in FERPA applicable to state-level data, thereby facilitating use of state-level student data for research studies that benefit schools, postsecondary institutions, and education agencies in the state.

15. V. New Privacy Safeguards Focused on Balancing Expanded Uses of State Data for Evaluation & Research with Privacy Protections • The proposed regulations require that state and local education authorities use "reasonable methods" to ensure compliance with FERPA by any entity designated as its authorized representative to receive data to conduct evaluations, audits, or compliance activities. • To provide flexibility for state and local education authorities, "reasonable methods" is not defined, but the proposed regulation solicits public comment on what would constitute reasonable methods. • The proposed regulations also require written agreements between the state or local education authority and its authorized representative for evaluations, audits, and compliance activities that include-- the purpose and scope of the disclosures, return or destruction of the data when no longer needed for the authorized purpose and the time period for such return or destruction, and policies and procedures to protect the data from misuse or further disclosure.

16. V. New Privacy Safeguards (cont.) Enforcement • Debarment: The proposed regulations provide that if an authorized representative that receives data to perform evaluations, audits or compliance activities is found by USED to have improperly redisclosed the data in violation of FERPA, the educational authority that provided the data would be required to deny access to personally identifiable data to that representative for at least 5 years. • Investigations and Enforcement: The proposed regulations provide that state educational authorities and other recipients of funds from USED – not just educational agencies or institutions that enroll students – are subject to investigations and enforcement, including possible withholding of funds, for FERPA violations. • Significance: USED is signaling that with increased flexibility to use data for evaluation and research, states will be held accountable for FERPA compliance. Instead of barring linking and use of data for proper educational purposes (as in the past), USED is taking the approach that the data need to be safeguarded by state and local agencies and their representatives.

17. VI. Directory Information Background • "Directory information" is defined by FERPA to mean information in an education record that would not generally be considered harmful or an invasion of privacy if disclosed. • A postsecondary institution, school, or school district may elect to designate (through a public notice) for public disclosure “directory information.” • Parents or eligible students may opt out of having their directory information released.

18. VI. Directory Information (cont.) Student IDs • The proposed regulations provide that an educational agency or institution may designate as directory information student ID numbers displayed on a student ID card or badge or a user ID for students to use electronic systems, if the identifier cannot be used to gain access to education records without additional authentication such as through a PIN or password and the student's social security number is not used. • The proposed regulations provide that parents may not opt out of directory information disclosures to prevent an educational agency or institution from requiring students to wear or otherwise disclose student ID cards or badges when on school property or engaged in school events.

19. VI. Directory Information (cont.) Student IDs (cont.) • Significance: The proposed change is intended to facilitate use of ID numbers for school safety and security purposes.

20. VI. Directory Information (cont.) Authorized limits in Directory Information Policies • The proposed regulations clarify that an educational agency or institution may adopt a directory information policy that limits disclosures to specific parties or purposes or both – not just a policy for unlimited disclosure of directory information to the public. • Significance: This proposed change responds to concerns from education agencies and institutions that providing for directory information disclosures to the public could subject their students to identity theft or solicitations from vendors.

21. VII. Open/Unresolved Issues Just a Few • FERPA does not authorize disclosures of education records to workforce (or other non-education) agencies for the purpose of strengthening workforce (or other) services (unless they come within the definition of education). A statutory change would be needed to authorize disclosures for these purposes. • While the proposed regulations are very helpful in addressing the applicability of FERPA to early childhood education, issues remain regarding the privacy of records and early childhood services. • FERPA applies to education records of students. The issue is when are early childhood services education for students and when are they non-education child care. And is that a meaningful and productive distinction? Does it make sense for parents and early childhood service providers to have the availability of privacy protections for children's records turn on these distinctions? • Legislation may be needed to address this issue.

22. VII. Open/Unresolved Issues (cont.) Just a Few (cont.) • Under FERPA, if an educational agency or institution violates FERPA, it has an opportunity to come into voluntary compliance before it is subjected to enforcement sanctions. It is unclear whether this process to correct a violation applies in the case where, under the proposed regulations, a state or local agency or authorized representative makes an unauthorized redisclosure and is subject to debarment from receiving further disclosures for a period of at least 5 years.

23. VIII. Conclusion • The proposed regulations include significant provisions to align FERPA with state and local longitudinal data systems and the need for them to be able to use student data effectively and efficiently for robust evaluation, research, and accountability purposes. • They also include significant new provisions to assure the protection of student data in connection with these purposes. • In commenting on the proposed regulations, you may want to focus on whether you believe the proposed regulations have drawn the right balance regarding the need to use the data for educational improvement and privacy concerns. • Comments might address how much flexibility should be given to state and local agencies in selecting reasonable methods to ensure compliance. • Comments also might address some of the unresolved issues identified above.

24. Contact Information Steve Winnick, counsel of EducationCounsel LLC, previously served as deputy general counsel and the designated agency ethics official of the U.S. Department of Education. Phone Number: 202-545-2913 E-mail: steve.winnick@educationcounsel.com EducationCounsel LLC, affiliated with Nelson Mullins Riley & Scarborough in Washington, D.C., provides education agencies, institutions, and organizations with a wide variety of policy support services, including diversity-related strategic planning, policy counseling and program evaluations; legal advice and advocacy; and staff/member training. (www.educationcounsel.com)