EDGAR Appendix A (Federal Register 4/21/04: Family Educational Rights and Privacy Act; Final Rule)
National Archives And Records Administration
Federal Register
Wednesday, April 21, 2004
Part V
Department of Education
34 CFR Part 99
Family Educational Rights and Privacy Act; Final Rule
Pages21670-21672
Appendix A
21670 Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004
/ Rules and Regulations
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA00
Family Educational Rights and Privacy Act
AGENCY: Office of Innovation and Improvement; Department of
Education.
ACTION: Final regulations.
SUMMARY: The Secretary amends 34 CFR part 99 to implement the
Department's interpretation of the Family Educational Rights and
Privacy Act (FERPA) identified through administrative experience as
necessary for proper program operation. These final regulations
provide general guidelines for accepting ''signed and dated written
consent'' under FERPA in electronic format.
DATES: These regulations are effective May 21, 2004.
FOR FURTHER INFORMATION CONTACT:
Kathleen Wolan, U.S. Department of Education, 400 Maryland Avenue,
SW., room 2W115, Washington, DC 20202-5901. Telephone:
(202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you
may call the Federal Information Relay Service (FIRS) at
1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or
computer diskette) on request to the contact person listed under FOR
FURTHER INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION: On July 28, 2003, the Secretary published
a notice of proposed rulemaking (NPRM) for this amendment in the
Federal Register (68 FR 44420). In the preamble to the NPRM, we
invited interested persons to submit comments concerning the
proposed change. We proposed to add Sec. 99.30(d) in order to provide
general guidelines for educational agencies and institutions that
choose to meet the requirements of Sec. 99.30 with records and
signatures in electronic format.
We reviewed guidance for electronic signatures recently published
by a variety of Federal Government sources, including the Office of
Management and Budget (OMB), the General Services Administration,
and the National Institute for Standards and Technology. Based on
that review and comments received from school officials, we believe
it is necessary to modify these final regulations. We modified these
regulations to reflect the definition of ''electronic signature''
established in the Government Paperwork Elimination Act (GPEA),
Public Law 105-277, Title XVII, Section 1710.
Electronic signatures are an area of rapidly evolving technology.
These modified regulations provide more fluid and flexible standards
for schools that choose to implement a process for accepting
electronic signatures. These modified regulations permit schools to
take advantage of changing technology as it may become available,
whether the change concerns additional security provisions or
enhanced customer service.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 16 parties
submitted comments on the proposed regulations. We publish an
analysis of the comments and of the changes in the regulations since
publication of the NPRM as an appendix at the end of these final
regulations. We discuss substantive issues under the sections of the
regulations to which they pertain. Generally, we do not address
technical and other minor changes and suggested changes the law does
not authorize the Secretary to make. However, we have reviewed these
regulations since publication of the NPRM and have made changes as
follows:
Acceptance of signature in electronic form (Sec. 99.30)
Comments: None.
Discussion: Electronic formats for signatures and documents are
changing rapidly and substantially in response to evolving
technologies and public acceptance. We wish to provide the widest
possible flexibility for schools to adapt to such changes yet retain
a methodology that operates within FERPA's requirements for proper
disclosure of education records. Because FERPA applies to
educational agencies and institutions at all levels, we do not want
these regulations to inadvertently impose standards on elementary
and secondary schools that may be valid only for postsecondary
schools under Federal student aid programs.
Based on our review of standards acceptable to other areas of the
Federal Government, including OMB circulars and Federal Student Aid
(FSA) guidance for electronic student loan transactions, as well as
standards established by laws such as the Electronic Signatures in
Global and National Commerce Act (E-Sign) and GPEA, we believe these
modified regulations will more easily permit schools to adapt to
changing standards in the areas of electronic signatures and
documents.
Changes: We have revised these regulations to be consistent with
other Federal Government standards for ''electronic signatures.''
Executive Order 12866
We have reviewed these final regulations in accordance with
Executive Order 12866. Under the terms of the order we have assessed
the potential costs and benefits of this regulatory action. The
potential costs associated with these final regulations are those
resulting from statutory requirements and those we have determined
to be necessary for administering this program effectively and
efficiently.
In assessing the potential costs and benefits-both quantitative
and qualitative-of these final regulations, we have determined that
the benefits of the regulations justify the costs.
Summary of Potential Costs and Benefits
We summarized the potential costs and benefits of these final
regulations in the preamble to the NPRM (68 FR 44421).
Paperwork Reduction Act of 1995
These regulations do not contain any information collection
requirements.
Assessment of Educational Impact
In the NPRM we requested comments on whether the proposed
regulations would require transmission of information that any other
agency or authority of the United States gathers or makes available.
Based on the response to the NPRM and on our review, we have
determined that these final regulations do not require transmission
of information that any other agency or authority of the United
States gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of
Education documents published in the Federal Register, in text or
Adobe Portable Document Format (PDF) on the Internet at the
following site: http://www.ed.gov/news/fedregister. To use PDF you
must have Adobe Acrobat Reader, which is available free at this
site. If you have questions about using PDF, call the U.S.
Government Printing Office (GPO), toll free, at 1-888-293-6498; or
in the Washington, DC, area at (202) 512-1530. You may also find
these regulations, as well as additional information about FERPA, on
the following Web site:
http://www.ed.gov/policy/gen/guid/fpco/index.html.
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the Code of Federal
Regulations is available on GPO Access at:
http://www.gpoaccess.gov/nara/index.html.
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Education, Information,
Parents, Privacy, Records, Reporting and recordkeeping requirements,
Students.
Dated: April 2, 2004.
Rod Paige,
Secretary of Education.
- For the reasons discussed in the preamble, the Secretary amends
part 99 of title 34 of the Code of Federal Regulations as
follows:
- 1. The authority citation for part 99 continues to read as
follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
- 2. Section 99.30 is amended by adding a new paragraph (d) to
read as follows:
Sec. 99.30 Under what conditions is prior consent required to disclose
information?
* * * * *
(d) ''Signed and dated written consent'' under this part may include
a record and signature in electronic form that-
(1) Identifies and authenticates a particular person as the source
of the electronic consent; and
(2) Indicates such person's approval of the information contained in
the electronic consent.
Appendix
Analysis of Comments and Changes
Note: The following appendix will not appear in the Code of Federal
Regulations.
Use at Multiple School Levels
Comments: One commenter asked whether the proposed regulations apply
only to eligible students at postsecondary institutions.
Discussion: FERPA gives the right to consent to disclosure of
education records to parents of minor children at the elementary and
secondary school levels, and to parents of children with
disabilities who receive services under Part B or Part C of the
Individuals with Disabilities Education Act (IDEA). When a student
turns 18 years of age or attends a postsecondary institution at any
age, the student is considered an ''eligible student'' under FERPA.
The right to consent under FERPA transfers under either of those two
conditions from the parent to the eligible student. Although the
term ''eligible student'' will be used throughout this document,
educational agencies and institutions at all levels may use these
regulations to accept electronic signatures.
Change: None.
Specific Methodologies
Comments: Several commenters asked for more specific guidance on
authentication methods and technologies that may be used.
Discussion: As explained in the preamble to the NPRM, the
regulations are purposefully narrow in scope and intended to be
technology-neutral (page 44420). While we will issue additional
guidance that will include further examples of an acceptable
process, we do not want to limit the flexibility of schools in this
area of rapid technological change.
Change: None.
Safe Harbor
Comments: Several commenters support the use of the FSA standards
for electronic signatures in electronic student loan transactions
(FSA Standards) as a ''safe harbor'' provision for acceptance of
electronic signatures in FERPA. Several other commenters objected
to the FSA Standards as being too rigorous for the perceived level
of risk of improper disclosure. The FSA Standards may be viewed
on the Internet at the following site:
http://www.ifap.ed.gov/dpcletters/gen0106.html.
Discussion: The preamble to the NPRM stated (page 44421) that the
FSA Standards would be the ''safe harbor'' provision. A ''safe
harbor'' is not set at the minimally acceptable level of security.
Due to the nature of the information that may be disclosed and the
potential harm a student may suffer from an unauthorized disclosure,
we believe the ''safe harbor'' provision is not unduly rigorous.
Schools retain the flexibility to choose to implement a system that
meets the ''safe harbor'' provisions or to choose to implement
another system to meet the new FERPA provisions.
However, schools should be reminded that Congress has also,
through the Gramm-Leach-Bliley Act (GLB) (Pub.L. 106-102, November
12, 1999), imposed additional privacy restrictions on financial
institutions, which include postsecondary institutions, requiring
institutions to protect against unauthorized access to, or use of,
consumer records. The Federal Trade Commission's (FTC) rule on the
privacy of consumer financial information provides that
postsecondary institutions that are complying with FERPA to protect
the privacy of their student financial aid records will be deemed in
compliance with the FTC's rule. (65 FR 33646, 33648 (May 24, 2000)).
This exemption applies to notice requirements and the restrictions
on a financial institution's disclosure of nonpublic personal
information to nonaffiliated third parties in Title V of GLB.
However, postsecondary institutions are not exempt from the FTC
final rule implementing section 501 of GLB on Safeguarding Customer
Information. (67 FR 368484 (May 23, 2002)). Financial institutions,
including postsecondary institutions, are required to have adopted
an information security program by May 23, 2003, under the FTC rule.
Thus, while schools have the maximum flexibility in choosing a
system that meets FSA's ''safe harbor'' provisions or another
process for authenticating Personal Identification Number (PIN)
numbers under FERPA, postsecondary institutions should keep these
other Federal requirements in mind when implementing such systems.
Change: None.
Applicability of FSA Standards
Comments: One commenter stated that it was confusing to apply the
situations and terminology in the FSA Standards to FERPA. The
commenter suggested that we issue a separate guide on FERPA
standards.
Discussion: The FSA Standards do not apply directly to FERPA because
some actions are imposed only on lenders or borrowers of financial
aid. For example, the FSA Standards require that paper copies of
transactions be provided to a student borrower at no cost in some
circumstances, and lenders are required to obtain a borrower's
specific consent to conduct loan transactions electronically.
Neither of those circumstances has parallels within FERPA.
We agree that some circumstances within the FSA Standards do not
relate directly to FERPA. While schools are not required by FERPA to
follow the FSA Standards, we believe that schools may use the set-up
and security measures described in the FSA Standards, particularly
sections 3 through 7, as guidance for security measures in a system
using electronic records and signatures under FERPA. We do not plan
to issue a separate FERPA standards document, but we will clarify
these items in additional guidance.
Change: None.
Use of ''Trusted Third Party'' in Identification Verification
Comments: A commenter expressed a belief that disclosure by a school
of student information without prior written consent to a ''trusted
third party'' as part of an identification verification process may
be in violation of FERPA. This commenter stated that the conflict
arises because the FSA Standards specify that the third party may
not be an agent of the school.
Discussion: FSA authenticates student identification information
with the Social Security Administration as a ''trusted third
party.'' FERPA's consent provisions do not apply to transactions
between a student and FSA. In situations where a school is
disclosing education records to a third party, FERPA's consent
provisions apply. When the third party receiving the information
from the school is not an agent for the school, FERPA generally
requires a school to obtain prior written consent before the
disclosure is made. Receipt of the prior consent would then allow a
school to disclose personal information for authentication purposes
with the records of independent sources such as credit reporting
agencies or testing companies.
Schools may also choose to use other processes to authenticate
identity. For example, a school may require the eligible student to
present photographic identification issued by a government agency.
Such photographic identification includes, but is not limited to, a
State-issued driver's license, a federally-issued passport, and
other Military, Federal, or State-issued identification cards.
Change: None.
Issuing a PIN or Password
Comments: One commenter stated that schools that issue a PIN to
students as outlined in the FSA Standards can result in a PIN that
is recorded and accessible to school officials. The commenter is
concerned that this conflicts with FERPA policy that a PIN is not
acceptable for use under FERPA if persons other than the student
have access to the PIN.
Discussion: The process described in the FSA Standards does not
permit school officials to access a student's PIN or password. In
addition, the FSA Standards permit an eligible student to change an
assigned password or PIN to one of their own choosing. Under the FSA
Standards, all of the passwords or PINs, whether assigned or
student-selected, are maintained in a secure database in an
encrypted manner that is not generally accessible to school
officials or other parties. A school that uses a similar methodology
would remain in compliance with requirements for the acceptance of
an electronic signature under FERPA. However, a school may not use a
PIN or password process that results in a PIN or password that is
visible and easily accessible to persons other than the eligible
student because that type of process results in an insecure PIN or
password. Schools retain the maximum flexibility to implement any
appropriate methodology.
Change: None.
Use of Current Systems
Comments: Several commenters asked whether it is acceptable to use
existing systems that include sign-on capability, such as campus e-
mail, admissions, enrollment, and fee payment systems. Several
commenters also asked if it is acceptable to permit eligible
students to provide notice of directory information opt-outs by use
of electronic signatures.
Discussion: As explained in the preamble to the NPRM, the
requirements for an electronic signature apply in circumstances
where a signed and dated written consent is required under FERPA
(page 44420). Such consent is generally required under FERPA when
information from education records is to be disclosed to a third
party, as in the issuance of a transcript to a prospective employer.
Consent is not a requirement for disclosure of an eligible student's
own records to the student. A school that wishes to use its current
system for situations where FERPA consent is required must determine
whether it provides the required level of security.
The majority of the systems mentioned by the commenters are designed
for communication between a school and an eligible student. Systems
that permit eligible students to view, alter, or update the
student's own records by electronic means are not the subject of
these regulations. A school must ensure that the eligible student
and not some other party is the receiver of the information, but the
method a school uses to do so is not prescribed by these
regulations.
Change: None.
Third-Party Presentation of Electronic
Signature
Comments: Several commenters asked whether the proposed regulations
are applicable when a third party, not the eligible student,
presents the electronic signature claimed to be that of the eligible
student. Two commenters expressed strong support for acceptance of
electronic signatures presented by third parties, primarily when the
third party is a government entity or another educational agency or
institution.
Discussion: Educational agencies and institutions are responsible to
ensure that education records are disclosed only in accordance with
FERPA. Any disclosure of education records to a third party, even in
accordance with a student's consent, is permitted but not required
under FERPA.
Each agency or institution must have the flexibility to decide
whether a request for disclosure meets the requirements of FERPA and
whether the institution wishes to make the requested disclosure.
The FERPA regulations do not require that an eligible student
provide his or her consent directly to the educational agency or
institution, and these regulations do not impose a different
requirement for electronic signatures. We would support an agency's
or institution's decision to only accept electronic signatures
presented on behalf of the eligible student by certain third
parties, such as Federal or State agencies.
Change: None.
Application of Standards of Other Privacy Laws
Comments: One commenter suggested that the standards of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
Rule for ''protected health information'' be applied to personally
identifiable information contained in students' education records.
The commenter was concerned because personally identifiable
information from students' education records are disclosed by
educational agencies and institutions to outside third parties who
have grants to do research. The commenter stated that educational
agencies and institutions do not recognize the concern for privacy
of such data.
Discussion: The HIPAA Privacy Rule, which is administered by the
Department of Health and Human Services, excludes from the
definition of ''protected health information'' two categories of
records that are relevant here: ''education records'' covered by
FERPA (34 CFR 99.3 ''Education records'') and records described
under FERPA's medical treatment records provision (34 CFR 99.3
''Education records''). See 45 CFR 160.103(a). The HIPAA Privacy
Rule does not cover such records because Congress, through FERPA,
specifically has addressed how these records should be protected. As
such, FERPA provides ample protections for these records and schools
should ensure that health information, as well as other education
records on students, are not disclosed to outside third parties
without the consent of the student or under one of the exceptions to
FERPA's general prior consent rule.
With regard to the commenter's statement that educational agencies
and institutions do not recognize the concern for privacy of student
information, it has been our experience that the majority of the
Nation's schools do comply with FERPA and strive to protect the
privacy of information contained in student records. FERPA is not a
public open records or freedom of information statute. Rather, the
purpose of FERPA is to protect the privacy interests of parents and
eligible students in records maintained by educational agencies and
institutions on the student. These privacy concerns should not be
viewed as barriers to be minimized and overcome but important public
safeguards to be protected and strengthened.
Change: None.
[FR Doc. 04-9054 Filed 4-20-04; 8:45 am]
BILLING CODE 4000-01-P
EDGAR version June 23, 2005
