The following was submitted as a formal comment to the United States Department of Education on May 23, 2011. The links were added after for CLHE members.
Since the comment is a bit technical in nature, CLHE will provide a series of issues briefs for members to explain the issues.
Docket ID ED-2011-OM-0002
May 23, 2011
U.S. Department of Education
400 Maryland Avenue, S.W.
Washington, DC 20202
Sent Via: Federal eRulemaking Portal at http://www.regulations.gov
RE: Family Educational Rights and Privacy Act Notice of Proposed Rulemaking
On behalf of the Council on Law in Higher Education (CLHE), I want to thank the Department of Education for this opportunity to provide comments on the April 8, 2011 FERPA proposed regulations.
CLHE is an independent nonprofit organization that conducts analysis on policy and legal issues affecting the higher education system. Colleges and universities from across the country, along with law firms and other organizations, receive our information and analysis.
Since the organization was founded in 1998, CLHE has focused extensively on FERPA, along with privacy and information security issues in general. The organization strongly supports student rights, including meaningful privacy protections.
This comment will first provide a brief overview of our views. Secondly, as requested in the notice, the comment will address issues in the same order as the proposed regulations.
I. Brief Overview
Many of the proposed changes lack statutory authority under FERPA. There also is nothing in the American Recovery and Reinvestment Act of 2009 (ARRA) or the American Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Act (COMPETES Act) that conflict with FERPA thereby rendering any FERPA statutory requirement moot.
While Congress has shown support for statewide longitudinal data systems (SLDS), it has not amended FERPA. The Department itself has not attempted to argue in the proposed regulations that ARRA or the COMPETES Act has preempted FERPA in any manner based on a statutory conflict.
Instead, the Department appears simply to be supporting SLDS. This support is demonstrated by the following passage that discusses the authority to audit or evaluate educational programs:
The Department intends these clarifications to promote Federal initiatives to support the robust use of data by State and local educational authorities to evaluate the effectiveness of Federal or State supported education programs.
It may be sound policy to push SLDS, however, this does not give the Department the authority to ignore the plain language and intent of FERPA to achieve that policy objective. Congress is the lawmaking body and must choose to make any statutory changes, including changes to FERPA.
The Department spends a significant amount of time in the proposed regulations discussing the policy objectives of ARRA and the COMPETES Act. Yet, in these FERPA proposed regulations, the Department does not discuss in any significant manner how it is ensuring that FERPA is implemented and enforced consistent with the critical goals and intent of the FERPA statute.
In fact, the proposed regulations focus on how FERPA is an obstacle to achieve the policy objective of SLDS. The goals of FERPA, and as a result, student privacy, play a secondary role to data sharing programs.
Authorized Representative (99.3, 99.35)
There may not be a definition of “authorized representative” in the statutes, but the statutory language does provide some clear guidance on its face. The statute specifically allows disclosure of PII, in limited situations, to the Comptroller General, the Attorney General, the Secretary of Education, and state and local educational authorities.
The proposed regulations would allow the above-mentioned agencies to designate any entity or individual, be it public or private, to serve as the authorized representative of the agency.
For example, as stated in the proposed regulations, “there is no reason why a State health and human services or labor department, for example, should be precluded from serving as the authority’s authorized representative and receiving non-consensual disclosures of PII…”
The effect of such an interpretation is to read out the statutory language providing for only specific agencies to receive PII. If Congress intended for a state labor agency or other third party to receive such data, it would have said this directly in the statute.
It appears that such an interpretation would allow agencies to designate almost anyone it wants so long as some type of argument can be made that the entity or individual is conducting, “with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.”
It begs questions, such as:*
• Would this allow one state to designate an agency in another state as an authorized representative?
• Could individual state politicians be considered authorized representatives?
• Could private companies that have very strong interests in the data independent of the reason for the disclosure, be authorized representatives?
As stated in the proposed regulations, it has been longstanding Department policy to consider an authorized representative as someone who is under the direct control of the specifically listed agencies. Such a policy was specifically explained in the “Hansen memorandum.”
This policy reflects a proper interpretation of the statute (limits authorized representatives to those agencies specifically listed in the statute) and addresses the practical problems of agencies trying to control the disclosure of information.
By limiting it to individuals under the direct control of the agencies, there is some assurance that the specific agency will be accountable and take appropriate measures. Under the proposed language, the agencies would be able, and may be required to if a state legislature so desires, to disclose information to third parties that are unlikely to take measures to prevent the improper disclosure of PII.
The proposed regulations characterize the current interpretation as being “restrictive.” The opposite is true. The interpretation allows the agencies to go beyond just allowing employees to have access to data by allowing third parties to have access to data as well.
Recommendation: Codify the “Direct Control” standard into the FERPA regulations.
Education Program (99.3, 99.35)
By changing the requirement that “education programs” be administered by educational agencies or institutions, the Department is creating both legal and practical problems.
Looking at the legal perspective, the Department is taking an unreasonable interpretation of the term “educational program” in order for outside entities to evaluate educational programs that are completely unrelated to educational agencies and institutions, as well as completely unrelated to students.
This interpretation would, for the first time, allow institutions to disclose information on students even if the disclosure of PII is for a purpose not directly related to a student or does not serve some specific function for the institution. While all other permissible disclosures are related to students and institutions, for the audit and evaluation disclosure, there would be a special exception. Such an inconsistency in relation to all the other disclosures is further evidence that “education program” is being interpreted improperly.
The practical problems of this extreme interpretation also are significant. An “educational program” can mean almost anything as proposed in the regulations. Anyone can be an education provider—the definition of “education program” does not limit who can be a provider. The definition of “education program” also does not require anything more than the program is “principally engaged in the provision of education.”
While such a broad interpretation may help a state health agency review the records of college students so it can look back and see the success of a Head Start program, as discussed in the proposed regulations, it also may lead to the following sample situations, assuming the program is federal or state-supported:
• A public education television station receives PII to evaluate demographics of contributors.
• Planned Parenthood, as part of its health education programs, receives PII to evaluate their programs.
• The National Rifle Association, as part of its educational programs about gun safety, receives PII.
• Voter education/get-out-to-vote groups receive PII to evaluate their programs.
The term “education” does not just mean classroom education and when not limited to what educational agencies or institutions do, the term can be extremely broad (as demonstrated in the above examples).
Combined with the definition of “authorized representative,” almost any entity, be it public or private (or even an individual) could have access to PII so long as one program that it runs is “principally engaged in the provision of education.”
Recommendation: Do not change the existing FERPA regulations that require educational programs to be those administered by educational institutions and agencies.
Authority to Audit or Evaluate (99.35)
As the proposed regulations explain, FERPA does not create authority for authorized representatives to audit or evaluate programs. Therefore, the FERPA regulations require that some type of legal authority be established.
This requirement is necessary to ensure that institutions and agencies are properly disclosing PII to “auditors and evaluators” as allowed under the FERPA statute.
Allowing authority to be established if it is “express or implied” would permit institutions and agencies to disclose PII to entities even if that agency has no right, outside FERPA, to access the information.
This interpretation makes little sense given that the audit/evaluation exception involves compliance and enforcement-related activities—these are activities where legal authority must be established (i.e. a government agency has no ability to enforce a law if it does not have clear legal authority to enforce a law—it can’t just argue that the authority is implied).
It is unclear what “express or implied” means. Since legal authority is not required, this would suggest that “express” or “implied” does not mean that the authority must be expressed or implied in law. It is difficult to determine what would be express if it were not expressly authorized in law.
As for implied, the Department appears to intend that “implied” can be ascertained by the situation and not what a law would imply. This would allow agencies to have an almost unlimited ability to claim it has a right to PII.
From a practical perspective, institutions and agencies would have no objective way to figure out whether they can or should disclose PII under the audit or evaluation exception. If a state agency claims authority exists because it is implied, regardless of what the law states, an institution or agency would have to struggle to figure out whether disclosing the information violates FERPA.
By requiring legal authority, there is a practical objective way for institutions to properly comply with FERPA—they would just need to review the legal authority that is used as justification for the disclosure.
Recommendation: Maintain the existing FERPA requirement that there must be legal authority for a third party to receive PII to conduct audits and evaluations.
Directory Information (99.37)
Prohibiting the directory information opt-out provision to cover students wearing ID cards and ID badges for safety reasons is consistent with the notion that FERPA was not designed to prohibit institutions from properly functioning—it also is comparable to the existing exception under 99.37 prohibiting the directory information opt-out from being used in a class (name, identifier, or email address may be disclosed).
In the proposed regulations, there is no limit on what directory information may be included on the ID card. This could be problematic, if for example, institutions required unnecessary information such as address or phone number (such information could even pose safety risks to the student wearing the ID).
Recommendation: Make the proposed change but specify the directory information that can be displayed bearing in mind that some information would be unnecessary.
Section 99.37(d) (Limited Directory Information Policy)
Under existing law, institutions already can decide who will or will not receive directory information. Even so, there has been confusion as to whether FERPA allows institutions to formally disclose directory information for specific parties and/or specific purposes only.
This proposal does give institutions more clarity regarding directory information and allows them to feel more confident in having a directory information policy without fear of the information bring misused.
It also would be helpful if this proposed change clarified that institutions can have different policies based on each specific type of directory information. For example, it would be very useful for institutions to be able to communicate that certain directory information may be disclosed to specific parties but not other types of directory information.
Recommendation: Make the proposed change but also clarify the change may apply to each type or subset of directory information.
Enforcement Procedures With Respect to Any Recipient of Department Funds That Students Do Not Attend (99.60)
The FERPA statute does not authorize the Department to expand who must comply with FERPA. The entire statute is drafted in a manner that makes it very clear that “educational agencies or institutions” do not cover student loan lenders, nonprofits, etc.
The FERPA statute states, “No funds shall be made available under any applicable program to any educational agency or institution unless the parents of students who are or have been in attendance at a school of such agency or at such institution…”
The third party entities discussed in the proposed regulations would not be covered—for example, a student does not attend a student loan lender. The entire statute covers requirements that would not apply to these third parties.
Recommendation: Do not expand the FERPA enforcement coverage.
I again appreciate this opportunity to provide comments on the proposed regulations. As the Department finalizes the regulations, I hope that it will respect and protect the very important privacy objectives of FERPA.
Daren Bakst, J.D., LL.M.
Council on Law in Higher Education
*These scenarios likely would be answered in the affirmative, especially when considering the other proposed changes in the regulations.