June 28, 2006

Ms. Jeanne-Marie Pochert
Deputy Assistant General Counsel
Clark County School District Legal Department
2832 East Flamingo Road
Las Vegas, Nevada 89121

Dear Ms. Pochert:

This responds to questions raised in your December 30, 2004, email regarding the disclosure of education records to a contractor for the Clark County School District (District). This Office investigates complaints and violations under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g, and provides technical assistance to ensure compliance with the statute and regulations, which are codified at 34 CFR Part 99.

You asked whether FERPA permits the District to disclose education records, without a parent's prior written consent, to Edline, a company that operates an online system that allows parents to access their child's current grades and class attendance reports, as well as school and class news, assignments, calendars, school menus, etc., that have been provided to Edline by District staff. According to your email, Edline provides secure hosting facilities that use encryption, firewall protection, and password codes that parents and students must use to access the student's records. You asked whether Edline is correct in its opinion that the District may disclose education records to Edline, without prior written consent, because it is an agent or contractor of the school and not a third party.

This Office asked you follow-up questions in January 2005, and on February 14, 2005, you forwarded responses provided by Marge Abrams, a representative of Edline. Ms. Abrams explained that Edline has a strict policy against sharing any student information with third parties. Further, according to Ms. Abrams:

When schools publish private information pertaining to specific students (such as grades) at their website hosted by Edline, the school configures exactly who has access to the student information (which is transferred to the school's website via secure SSL connection and stored in encrypted format). Thus, the school itself (not Edline) will provide access to student information only to the people it chooses (members of the school staff, parents, etc.) on an individualized basis through password-protected user accounts. No person that doesn't receive a specific account (with specific access) from the school itself will ever have access to student information (public or private) at the school's Edline website. Edline never grants third parties access to private reports (such as grades) or any other information, because Edline simply facilitates communication on behalf of the school.

There is no sharing of data between schools (or with any other agency or institution) by Edline. All access to student information, whether by other schools, agencies, or any other third parties - is configured and determined by the school itself.

Under FERPA parents (or "eligible students," as defined in § 99.3 of the regulations) have a right to inspect and review their children's education records and to seek to have them amended in certain circumstances. 34 CFR Part 99, subparts B and C. FERPA provides further that no funds administered by the Secretary of Education shall be made available to an educational agency or institution, such as a public school district, that has a policy or practice of releasing or permitting access to personally identifiable information from education records (other than "directory information") without the prior written consent of a parent (or eligible student) except as authorized by law. 20 U.S.C. §1232g(b)(1) and (b)(2). Accordingly, a parent (or eligible student) must provide a signed and dated written consent in accordance with the requirements of §99.30 of the FERPA regulations before an educational agency or institution discloses education records. Exceptions to this requirement are set forth in 34 CFR §99.31.

"Education records" are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR §99.3 "Education records" (emphasis added). This means that records directly related to a student that are maintained by contractor or other party acting for a school, including records created by that party, are subject to all FERPA requirements.

"Disclosure" in the FERPA regulations means "to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party" by any means and includes access to education records by school officials. Indeed, one of the exceptions to the prior written consent requirement in FERPA allows "school officials, including teachers, within the agency or institution" to obtain access to education records provided the educational agency or institution has determined that they have "legitimate educational interests" in the information. 34 CFR §99.31(a)(1). Although "school official" is not defined in the statute or regulations, this Office has interpreted the term broadly to include a teacher; school principal; president; chancellor; board member; trustee; registrar; counselor; admissions officer; attorney; accountant; human resources professional; information systems specialist; and support or clerical personnel.

In addition, an educational agency or institution may disclose education records without consent to a "school official" under this exception only if it has first determined that the official has "legitimate educational interests" in obtaining the information to perform specified services for the agency or institution. An educational agency or institution that allows school officials to obtain access to education records under this exception must include in its annual notification of FERPA rights a specification of its criteria for determining who constitutes a "school official" and what constitutes "legitimate educational interests" under §99.31(a)(1). See 34 CFR §99.7(a)(3)(iii).

As noted in your email, FERPA does not specifically address disclosure of education records to contractors, consultants, volunteers and service providers who are not employees of an educational agency or institution. However, the statutory definition of "education records" appears to recognize the use of outside service providers in calling for the protection of records maintained by "a person acting for" the agency or institution." Indeed, the Joint Statement in Explanation of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers specifically to materials that are maintained by a school "or by one of its agents" when describing the meaning of the new term "education records" in the December 1974 amendments. Accordingly, this Office has advised that agencies and institutions subject to FERPA are not precluded from disclosing education records to parties to whom they have outsourced services so long as they do so under the same conditions applicable to school officials who are actually employed.

Note that an educational agency or institution may not disclose education records without prior written consent merely because it has entered into a contract or agreement with an outside party. Rather, the agency or institution must be able to show that 1) the outside party provides a service for the agency or institution that it would otherwise provide for itself using employees; 2) the outside party would have "legitimate educational interests" in the information disclosed if the service were performed by employees; and 3) the outside party is under the direct control of the educational agency or institution with respect to the use and maintenance of information from education records. Further, under §99.33(a) of the regulations, any party, including a "school official," that receives education records may use the information only for the purposes for which the disclosure was made and may not redisclose the information to any other party without prior written consent, except as authorized under §99.33(b). As noted above, education records maintained by a party providing services for an educational agency or institution, including records created by that party, are subject to all FERPA requirements. An outside party that does not meet these requirements may not be given access to personally identifiable information from education records without meeting the prior written consent requirements.

Critically, an educational agency or institution must ensure that its service provider does not use or allow anyone to obtain access to personally identifiable information from education records except in strict accordance with the requirements established by the agency or institution that discloses the information. In that vein, the agency or institution that outsources services under these requirements remains completely responsible for its service provider's compliance with applicable FERPA requirements and liable for any misuse of protected information. For that reason, we recommend that these specific protections be incorporated into any contract or agreement between an educational agency or institution and any non-employees it retains to provide institutional services.

The disclosure of education records to school officials without consent under §99.31(a)(1) is ordinarily excepted from FERPA's specific recordation requirements under §99.32(d)(2) because these disclosures are identified in the school's annual FERPA notification. An educational agency or institution that has complied with the notification requirements in §99.7(a)(3)(iii) for disclosure of education records to contractors and other outside service providers retained as "school officials" under the above conditions may exclude these disclosures from the recordation requirements in accordance with §99.32(d)(2). If the agency or institution has not listed contractors and other outside service providers as "school officials" in its annual §99.7 FERPA notification, then it is required to record each disclosure to a qualifying contractor in accordance with §99.32(a).

Based on the information provided, it appears that the arrangement schools within the District have with Edline meets these requirements for disclosing specified information from education records to Edline as a "school official" under this FERPA exception. In particular, 1) Edline provides online hosting services that permit parents to view some of their children's education records, and Edline uses the information from education records to perform those services that would otherwise be provided by school employees; 2) Edline's online access services provide it with "legitimate educational interests" in the information disclosed to Edline by each school; and 3) Edline's use and maintenance of personally identifiable information from education records is subject to the direct control of each school within the District. Each school or the District must ensure that Edline does not redisclose or permit the redisclosure of any personally identifiable information from education records except as specifically authorized by the school or District that is responsible for the contract. The school (or District), in turn, remains responsible for any FERPA violations committed by its service provider. In that regard, we note that Edline takes reasonable and appropriate steps to ensure that information from education records is not disclosed or made available to other parties and does not use the information for any other purpose.

I trust that the above information is helpful in explaining the scope and limitations of FERPA as it relates to your concern.

Sincerely,

LeRoy S. Rooker
Director
Family Policy Compliance Office