February 18, 2004

Dr. Allan M. Lloyd-Jones
Special Education Consultant
Special Education Office
California Department of Education
1430 N Street, Suite 2401
Sacramento, California 94244-2720

Dear Dr. Lloyd-Jones:

This is in follow-up to your telephone call to this Office on September 10, 2003, in which you asked for guidance on the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. Specifically, you stated that officials of the California Department of Health Services (DHS) have asked the California Department of Education (CDE) to disclose personally identifiable information from students' education records, maintained by the CDE, to DHS officials who are conducting a surveillance of children with autism and other developmental disabilities. The DHS has requested that the CDE enter into a memorandum of understanding (MOU) in order to accomplish this sharing of information and you ask whether the CDE may provide the information as requested by the DHS or permit local educational agencies (LEAs) and/or schools to disclose information to DHS officials, consistent with its obligations under FERPA. This Office administers FERPA and provides technical assistance to educational agencies and institutions to ensure compliance with the statute and regulations codified at 34 CFR Part 99.

In general, parents have the right under FERPA to inspect and review their children's education records and to seek to have them amended in certain circumstances. 34 CFR Part 99, Subparts B and C. In addition, an educational agency or institution subject to FERPA may not have a policy or practice of disclosing education records, or non-directory, personally identifiable information from education records, without the written consent of the parent or eligible student, except as provided by law. 34 CFR Part 99, Subpart D. "Education records" are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 ("Education records"). It is our understanding that CDE obtained the records sought by DHS from schools and school districts pursuant to CDE's responsibility under the Individuals with Disability Education Act (IDEA) for ensuring that the Federal legal requirements of IDEA are met. As such, the information requested by the DHS clearly falls within the definition of "education records" under FERPA.

FERPA applies to "educational agencies and institutions" that receive funds under any program administered by the Secretary of Education. 34 CFR 99.1. Most local public schools and school districts (local educational agencies, or LEAs) are subject to FERPA because they receive Department funds and meet the description of an "educational agency" or "educational institution" provided in § 99.1 of the FERPA regulations. While an SEA may receive funds from the Department, as a practical matter, FERPA generally would not apply to the records of an SEA. This is because FERPA defines "education records" as information directly related to a "student," which itself is defined as excluding a person who has not been in attendance at the educational agency or institution. 20 U.S.C. § 1232g(a)(4) and (a)(6). Since students generally are not in attendance at an SEA, it follows that FERPA does not generally apply to the SEA's records. (Congress amended FERPA in § 249 of the Improving America's Schools Act of 1994 so that parents have the right to inspect and review education records maintained by an SEA, including records that an SEA creates or receives from local school districts or other sources. See 34 CFR § 99.10(a)(2).)

LEAs and their constituent schools most often disclose education records to SEAs under §§ 99.31(a)(3)(iv) and 99.35 of the FERPA regulations, which permit disclosure without written consent to "authorized representatives of ... State and local educational authorities" provided the disclosure is in connection with:

• An audit or evaluation of Federal or State supported education programs; or
• Enforcement of, or compliance with, Federal legal requirements relating to such programs.

Information collected under this provision must be:

• Protected in a manner that does not permit personal identification of individuals by anyone except the officials listed in 34 CFR 99.31(a)(3); and
• Destroyed when no longer needed for the purposes for which it was disclosed.

In this case, we are aware of no exception to the written consent rule other than § 99.31(a)(3) that would permit schools and LEAs to disclose the information to CDE without written parental consent in order for CDE to perform its responsibility of ensuring that the Federal legal requirements of IDEA are met. Accordingly, information disclosed to CDE and other officials listed in 34 CFR § 99.31(a)(3) may not be redisclosed in personally identifiable form, intentionally or otherwise, to anyone other than authorized representatives of CDE and must be destroyed when no longer needed for the audit or evaluation purpose for which it was collected. It should noted be that "disclosure" not only means the transmitting or releasing of information to a third party but encompasses permitting a third party to have access to the information in any manner, including oral, written, or electronic means. 34 CFR § 99.3 ("Disclosure"). Thus, allowing a party that is not an official of the SEA to inspect and review personally identifiable information would constitute a "disclosure" of personally identifiable information under FERPA.

It has come to our attention that some SEAs have entered into agreements with state departments of health or other entities who are grantees of the Federal Centers for Disease Control and Prevention (CDC) as part of CDC's population-based surveillance projects for children with autism and other developmental disabilities, pursuant to CDC's obligations under Section 102 of the Children's Health Act of 2000 (P.L. 106-310, October 17, 2000). In some cases, the SEA has used an MOU to designate the state health department or other entity as its "authorized representative" for purposes of meeting the requirements of §§ 99.31(a)(3)(iv) and 99.35 of the FERPA regulations, as described above.

Earlier this year, the Department issued guidance regarding whether FERPA permits a State or local educational authority, such as an SEA, to authorize or designate another State agency as its "authorized representative" in order to conduct data matching with the other entity. This memorandum was issued to all Chief State School Officers on January 30, 2003, by former Deputy Secretary William D. Hansen and is available on this Office's website (www.ed.gov/offices/OII/fpco). The Deputy Secretary's memorandum rescinded (effective April 30) previous Department guidance that relied on an expansive interpretation of the term "authorized representative" in § 99.31(a)(3) to support data matching with state labor departments and other non-educational agencies in order to meet Workforce Investment Act and other Federal reporting requirements. It grew out of concern that unlimited discretion to appoint or designate an "authorized representative" for data matching purposes essentially vitiates the specific conditions for nonconsensual disclosure under §§ 99.31(a)(3) and 99.35 and, more generally, FERPA's prohibition on disclosure without written consent. The memo explains that multiple references to "officials" in the statutory text for this exception reflect congressional concern that the "authorized representatives" of a State educational authority (or other official listed in § 99.31(a)(3)) must be under the direct control of that authority, which means an employee, appointed official, or "contractor."

"Contractor" in this sense means outsourcing or using third-parties to provide services that the State educational authority would otherwise provide for itself, in circumstances where internal disclosure would be appropriate under § 99.35 if the State educational authority were providing the service itself, and where the parties have entered into an agreement that establishes the State educational authority's direct control over the contractor with respect to the service provided by the contractor. Any contractor that obtains access to personally identifiable information from education records in these circumstances is bound by the same restrictions on redisclosure and destruction of information that apply to the State educational authority itself under § 99.35, and the State educational authority is responsible for ensuring that its contractor does not redisclose or allow any other party to have access to any personally identifiable information from education records.

In the circumstances you described, DHS may not serve as an "authorized representative" of CDE under § 99.31(a)(3) of the FERPA regulations because DHS personnel are not employees, appointed officials, or contractors under the direct control of CDE, the State educational authority. That is, CDE may not enter into an MOU or some other type of agreement with DHS or some other outside agency to disclose personally identifiable information from education records to DHS.

Some educational agencies and institutions have asked whether FERPA would permit them to disclose information to outside researchers under the "study" provision of FERPA. See 20 U.S.C. § 1232g(b)(1)(F). Under FERPA, an educational agency or institution may generally disclose personally identifiable, non-directory information, without obtaining prior written consent, to organizations conducting studies for, or on behalf of, the agency or institution, in order to:

(A) develop, validate, or administer predictive tests;
(B) administer student aid programs; or
(C) improve instruction.

34 CFR § 99.31(a)(6); 20 U.S.C. § 1232g(b)(1)(F). The agency or institution may release information under this provision only if:

(A) the study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization; and

(B) the information is destroyed when no longer needed for the purposes for which the study was conducted.

Id.

As with the FERPA provision for disclosure of information to State and local educational authorities, discussed above, recipients of information from education records under this provision may not redisclose information in personally identifiable form except to officials of the organization conducting the study for which the information was originally disclosed.

Implicit in the "study" exception is the notion that an educational agency or institution has authorized a study. The fact that an outside entity, on its own initiative, conducts a study which may benefit an educational agency or institution, does not transform the study into one done "for or on behalf of" the educational agency or institution.

There are ways in which an educational agency or institution may participate in research such as the surveillance of children with autism and other developmental disabilities without violating FERPA. First, nothing in FERPA prohibits the CDE or an LEA or school from disclosing information in aggregate or other non-personally identifiable form. As noted earlier, FERPA specifically prevents the disclosure of personally identifiable information from education records, without the prior written consent of parents and students under § 99.30, including:

(a) the student's name;
(b) the name of the student's parent or other family member;
(c) the address of the student or student's family;
(d) a personal identifier, such as the student's social security number or student number;
(e) a list of personal characteristics that would make the student's identity easily traceable; or
(f) other information that would make the student's identity easily traceable.

In order to make sure that student-level information is not personally identifiable, in circumstances that can lead to identification of an individual, the disclosing educational agency or institution (the CDE or LEA or school) would need to remove not only name and ID number but also "personal characteristics" and "other information that would make the student's identity easily traceable," which means such factors as physical description (race, sex, appearance, etc.); date and place of birth; religion and national origin; participation in sports, clubs, and other activities; academic performance; employment; disciplinary actions or criminal proceedings, etc. "Other information that would make the student's identity easily traceable" may also be implicated in the release of small numbers of aggregated or statistical information from education records.

Second, nothing in FERPA prohibits school officials from asking parents for their consent in order to disclose personally identifiable information on students to DHS officials. The written consent required before an educational agency or institution may disclose personally identifiable, non-directory information from education records should:

(1) specify the records that may be disclosed;

(2) state the purpose of the disclosure; and

(3) identify the party or class of parties to whom the disclosure may be made.

34 CFR § 99.30(b); see 20 U.S.C. § 1232g(b)(2)(A).

If requested, the agency or institution must provide a parent or student with a copy of the records disclosed. 34 CFR § 99.30(c).

I trust that this adequately explains the scope and limitations of FERPA as it relates to the disclosure of personally identifiable information by the CDE, LEAs, and/or schools to DHS. Should you have any further questions, please do not hesitate to contact this Office at the following address and telephone number:

Family Policy Compliance Office
Office of Innovation and Improvement
U.S. Department of Education
400 Maryland Avenue, S.W.
Washington, D.C. 20202-5901
(202) 260-3887

Sincerely,


/s/


LeRoy S. Rooker
Director
Family Policy Compliance Office