[Federal Register Volume 69, Number 77 (Wednesday, April 21, 2004)]
[Rules and Regulations]
[Pages 21670-21672]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-9054]
[[Page 21669]]
-----------------------------------------------------------------------
Part V
Department of Education
-----------------------------------------------------------------------
34 CFR Part 99
Family Educational Rights and Privacy Act; Final Rule
��Federal Register / Vol. 69, No. 77 / Wednesday, April 21, 2004 /
Rules and Regulations��
[[Page 21670]]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA00
Family Educational Rights and Privacy Act
AGENCY: Office of Innovation and Improvement; Department of Education.
ACTION: Final regulations.
-----------------------------------------------------------------------
SUMMARY: The Secretary amends 34 CFR part 99 to implement the
Department's interpretation of the Family Educational Rights and
Privacy Act (FERPA) identified through administrative experience as
necessary for proper program operation. These final regulations provide
general guidelines for accepting ``signed and dated written consent''
under FERPA in electronic format.
DATES: These regulations are effective May 21, 2004.
FOR FURTHER INFORMATION CONTACT: Kathleen Wolan, U.S. Department of
Education, 400 Maryland Avenue, SW., room 2W115, Washington, DC 20202-
5901. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may
call the Federal Information Relay Service (FIRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION: On July 28, 2003, the Secretary published a
notice of proposed rulemaking (NPRM) for this amendment in the Federal
Register (68 FR 44420). In the preamble to the NPRM, we invited
interested persons to submit comments concerning the proposed change.
We proposed to add Sec. 99.30(d) in order to provide general
guidelines for educational agencies and institutions that choose to
meet the requirements of Sec. 99.30 with records and signatures in
electronic format.
We reviewed guidance for electronic signatures recently published
by a variety of Federal Government sources, including the Office of
Management and Budget (OMB), the General Services Administration, and
the National Institute for Standards and Technology. Based on that
review and comments received from school officials, we believe it is
necessary to modify these final regulations. We modified these
regulations to reflect the definition of ``electronic signature''
established in the Government Paperwork Elimination Act (GPEA), Public
Law 105-277, Title XVII, Section 1710.
Electronic signatures are an area of rapidly evolving technology.
These modified regulations provide more fluid and flexible standards
for schools that choose to implement a process for accepting electronic
signatures. These modified regulations permit schools to take advantage
of changing technology as it may become available, whether the change
concerns additional security provisions or enhanced customer service.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 16 parties
submitted comments on the proposed regulations. We publish an analysis
of the comments and of the changes in the regulations since publication
of the NPRM as an appendix at the end of these final regulations. We
discuss substantive issues under the sections of the regulations to
which they pertain. Generally, we do not address technical and other
minor changes and suggested changes the law does not authorize the
Secretary to make. However, we have reviewed these regulations since
publication of the NPRM and have made changes as follows:
Acceptance of signature in electronic form (Sec. 99.30)
Comments: None.
Discussion: Electronic formats for signatures and documents are
changing rapidly and substantially in response to evolving technologies
and public acceptance. We wish to provide the widest possible
flexibility for schools to adapt to such changes yet retain a
methodology that operates within FERPA's requirements for proper
disclosure of education records. Because FERPA applies to educational
agencies and institutions at all levels, we do not want these
regulations to inadvertently impose standards on elementary and
secondary schools that may be valid only for postsecondary schools
under Federal student aid programs.
Based on our review of standards acceptable to other areas of the
Federal Government, including OMB circulars and Federal Student Aid
(FSA) guidance for electronic student loan transactions, as well as
standards established by laws such as the Electronic Signatures in
Global and National Commerce Act (E-Sign) and GPEA, we believe these
modified regulations will more easily permit schools to adapt to
changing standards in the areas of electronic signatures and documents.
Changes: We have revised these regulations to be consistent with
other Federal Government standards for ``electronic signatures.''
Executive Order 12866
We have reviewed these final regulations in accordance with
Executive Order 12866. Under the terms of the order we have assessed
the potential costs and benefits of this regulatory action.
The potential costs associated with these final regulations are
those resulting from statutory requirements and those we have
determined to be necessary for administering this program effectively
and efficiently.
In assessing the potential costs and benefits--both quantitative
and qualitative--of these final regulations, we have determined that
the benefits of the regulations justify the costs.
Summary of Potential Costs and Benefits
We summarized the potential costs and benefits of these final
regulations in the preamble to the NPRM (68 FR 44421).
Paperwork Reduction Act of 1995
These regulations do not contain any information collection
requirements.
Assessment of Educational Impact
In the NPRM we requested comments on whether the proposed
regulations would require transmission of information that any other
agency or authority of the United States gathers or makes available.
Based on the response to the NPRM and on our review, we have
determined that these final regulations do not require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of
Education documents published in the Federal Register, in text or Adobe
Portable Document Format (PDF) on the Internet at the following site:
http://www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available
free at this site. If you have questions about using PDF, call the U.S.
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in
the Washington, DC, area at (202) 512-1530.
You may also find these regulations, as well as additional
information about FERPA, on the following Web site: http://www.ed.gov/policy/gen/guid/fpco/index.html.
[[Page 21671]]
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the Code of Federal
Regulations is available on GPO Access at: http://www.gpoaccess.gov/nara/index.html.
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Education, Information,
Parents, Privacy, Records, Reporting and recordkeeping requirements,
Students.
Dated: April 2, 2004.
Rod Paige,
Secretary of Education.
0
For the reasons discussed in the preamble, the Secretary amends part 99
of title 34 of the Code of Federal Regulations as follows:
0
1. The authority citation for part 99 continues to read as follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
0
2. Section 99.30 is amended by adding a new paragraph (d) to read as
follows:
Sec. 99.30 Under what conditions is prior consent required to
disclose information?
* * * * *
(d) ``Signed and dated written consent'' under this part may
include a record and signature in electronic form that--
(1) Identifies and authenticates a particular person as the source
of the electronic consent; and
(2) Indicates such person's approval of the information contained
in the electronic consent.
Appendix
Analysis of Comments and Changes
Note: The following appendix will not appear in the Code of
Federal Regulations.
Use at Multiple School Levels
Comments: One commenter asked whether the proposed regulations
apply only to eligible students at postsecondary institutions.
Discussion: FERPA gives the right to consent to disclosure of
education records to parents of minor children at the elementary and
secondary school levels, and to parents of children with
disabilities who receive services under Part B or Part C of the
Individuals with Disabilities Education Act (IDEA). When a student
turns 18 years of age or attends a postsecondary institution at any
age, the student is considered an ``eligible student'' under FERPA.
The right to consent under FERPA transfers under either of those two
conditions from the parent to the eligible student. Although the
term ``eligible student'' will be used throughout this document,
educational agencies and institutions at all levels may use these
regulations to accept electronic signatures.
Change: None.
Specific Methodologies
Comments: Several commenters asked for more specific guidance on
authentication methods and technologies that may be used.
Discussion: As explained in the preamble to the NPRM, the
regulations are purposefully narrow in scope and intended to be
technology-neutral (page 44420). While we will issue additional
guidance that will include further examples of an acceptable
process, we do not want to limit the flexibility of schools in this
area of rapid technological change.
Change: None.
Safe Harbor
Comments: Several commenters support the use of the FSA
standards for electronic signatures in electronic student loan
transactions (FSA Standards) as a ``safe harbor'' provision for
acceptance of electronic signatures in FERPA. Several other
commenters objected to the FSA Standards as being too rigorous for
the perceived level of risk of improper disclosure. The FSA
Standards may be viewed on the Internet at the following site:
http://www.ifap.ed.gov/dpcletters/gen0106.html.
Discussion: The preamble to the NPRM stated (page 44421) that
the FSA Standards would be the ``safe harbor'' provision. A ``safe
harbor'' is not set at the minimally acceptable level of security.
Due to the nature of the information that may be disclosed and the
potential harm a student may suffer from an unauthorized disclosure,
we believe the ``safe harbor'' provision is not unduly rigorous.
Schools retain the flexibility to choose to implement a system that
meets the ``safe harbor'' provisions or to choose to implement
another system to meet the new FERPA provisions.
However, schools should be reminded that Congress has also,
through the Gramm-Leach-Bliley Act (GLB) (Pub.L. 106-102, November
12, 1999), imposed additional privacy restrictions on financial
institutions, which include postsecondary institutions, requiring
institutions to protect against unauthorized access to, or use of,
consumer records. The Federal Trade Commission's (FTC) rule on the
privacy of consumer financial information provides that
postsecondary institutions that are complying with FERPA to protect
the privacy of their student financial aid records will be deemed in
compliance with the FTC's rule. (65 FR 33646, 33648 (May 24, 2000)).
This exemption applies to notice requirements and the restrictions
on a financial institution's disclosure of nonpublic personal
information to nonaffiliated third parties in Title V of GLB.
However, postsecondary institutions are not exempt from the FTC
final rule implementing section 501 of GLB on Safeguarding Customer
Information. (67 FR 368484 (May 23, 2002)). Financial institutions,
including postsecondary institutions, are required to have adopted
an information security program by May 23, 2003, under the FTC rule.
Thus, while schools have the maximum flexibility in choosing a
system that meets FSA's ``safe harbor'' provisions or another
process for authenticating Personal Identification Number (PIN)
numbers under FERPA, postsecondary institutions should keep these
other Federal requirements in mind when implementing such systems.
Change: None.
Applicability of FSA Standards
Comments: One commenter stated that it was confusing to apply
the situations and terminology in the FSA Standards to FERPA. The
commenter suggested that we issue a separate guide on FERPA
standards.
Discussion: The FSA Standards do not apply directly to FERPA
because some actions are imposed only on lenders or borrowers of
financial aid. For example, the FSA Standards require that paper
copies of transactions be provided to a student borrower at no cost
in some circumstances, and lenders are required to obtain a
borrower's specific consent to conduct loan transactions
electronically. Neither of those circumstances has parallels within
FERPA.
We agree that some circumstances within the FSA Standards do not
relate directly to FERPA. While schools are not required by FERPA to
follow the FSA Standards, we believe that schools may use the set-up
and security measures described in the FSA Standards, particularly
sections 3 through 7, as guidance for security measures in a system
using electronic records and signatures under FERPA. We do not plan
to issue a separate FERPA standards document, but we will clarify
these items in additional guidance.
Change: None.
Use of ``Trusted Third Party'' in Identification Verification
Comments: A commenter expressed a belief that disclosure by a
school of student information without prior written consent to a
``trusted third party'' as part of an identification verification
process may be in violation of FERPA. This commenter stated that the
conflict arises because the FSA Standards specify that the third
party may not be an agent of the school.
Discussion: FSA authenticates student identification information
with the Social Security Administration as a ``trusted third
party.'' FERPA's consent provisions do not apply to transactions
between a student and FSA.
In situations where a school is disclosing education records to
a third party, FERPA's consent provisions apply. When the third
party receiving the information from the school is not an agent for
the school, FERPA generally requires a school to obtain prior
written consent before the disclosure is made. Receipt of the prior
consent would then allow a school to disclose personal information
for authentication purposes with the records of independent sources
such as credit reporting agencies or testing companies.
Schools may also choose to use other processes to authenticate
identity. For example, a school may require the eligible student to
present photographic identification issued by a government agency.
Such photographic identification includes, but is not limited to, a
State-issued driver's license, a federally-issued passport,
[[Page 21672]]
and other Military, Federal, or State-issued identification cards.
Change: None.
Issuing a PIN or Password
Comments: One commenter stated that schools that issue a PIN to
students as outlined in the FSA Standards can result in a PIN that
is recorded and accessible to school officials. The commenter is
concerned that this conflicts with FERPA policy that a PIN is not
acceptable for use under FERPA if persons other than the student
have access to the PIN.
Discussion: The process described in the FSA Standards does not
permit school officials to access a student's PIN or password. In
addition, the FSA Standards permit an eligible student to change an
assigned password or PIN to one of their own choosing. Under the FSA
Standards, all of the passwords or PINs, whether assigned or
student-selected, are maintained in a secure database in an
encrypted manner that is not generally accessible to school
officials or other parties.
A school that uses a similar methodology would remain in
compliance with requirements for the acceptance of an electronic
signature under FERPA. However, a school may not use a PIN or
password process that results in a PIN or password that is visible
and easily accessible to persons other than the eligible student
because that type of process results in an insecure PIN or password.
Schools retain the maximum flexibility to implement any appropriate
methodology.
Change: None.
Use of Current Systems
Comments: Several commenters asked whether it is acceptable to
use existing systems that include sign-on capability, such as campus
e-mail, admissions, enrollment, and fee payment systems. Several
commenters also asked if it is acceptable to permit eligible
students to provide notice of directory information opt-outs by use
of electronic signatures.
Discussion: As explained in the preamble to the NPRM, the
requirements for an electronic signature apply in circumstances
where a signed and dated written consent is required under FERPA
(page 44420). Such consent is generally required under FERPA when
information from education records is to be disclosed to a third
party, as in the issuance of a transcript to a prospective employer.
Consent is not a requirement for disclosure of an eligible student's
own records to the student. A school that wishes to use its current
system for situations where FERPA consent is required must determine
whether it provides the required level of security.
The majority of the systems mentioned by the commenters are
designed for communication between a school and an eligible student.
Systems that permit eligible students to view, alter, or update the
student's own records by electronic means are not the subject of
these regulations. A school must ensure that the eligible student
and not some other party is the receiver of the information, but the
method a school uses to do so is not prescribed by these
regulations.
Change: None.
Third-Party Presentation of Electronic Signature
Comments: Several commenters asked whether the proposed
regulations are applicable when a third party, not the eligible
student, presents the electronic signature claimed to be that of the
eligible student. Two commenters expressed strong support for
acceptance of electronic signatures presented by third parties,
primarily when the third party is a government entity or another
educational agency or institution.
Discussion: Educational agencies and institutions are
responsible to ensure that education records are disclosed only in
accordance with FERPA. Any disclosure of education records to a
third party, even in accordance with a student's consent, is
permitted but not required under FERPA. Each agency or institution
must have the flexibility to decide whether a request for disclosure
meets the requirements of FERPA and whether the institution wishes
to make the requested disclosure.
The FERPA regulations do not require that an eligible student
provide his or her consent directly to the educational agency or
institution, and these regulations do not impose a different
requirement for electronic signatures. We would support an agency's
or institution's decision to only accept electronic signatures
presented on behalf of the eligible student by certain third
parties, such as Federal or State agencies.
Change: None.
Application of Standards of Other Privacy Laws
Comments: One commenter suggested that the standards of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy Rule for ``protected health information'' be applied to
personally identifiable information contained in students' education
records. The commenter was concerned because personally identifiable
information from students' education records are disclosed by
educational agencies and institutions to outside third parties who
have grants to do research. The commenter stated that educational
agencies and institutions do not recognize the concern for privacy
of such data.
Discussion: The HIPAA Privacy Rule, which is administered by the
Department of Health and Human Services, excludes from the
definition of ``protected health information'' two categories of
records that are relevant here: ``education records'' covered by
FERPA (34 CFR 99.3 ``Education records'') and records described
under FERPA's medical treatment records provision (34 CFR 99.3
``Education records''). See 45 CFR 160.103(a). The HIPAA Privacy
Rule does not cover such records because Congress, through FERPA,
specifically has addressed how these records should be protected. As
such, FERPA provides ample protections for these records and schools
should ensure that health information, as well as other education
records on students, are not disclosed to outside third parties
without the consent of the student or under one of the exceptions to
FERPA's general prior consent rule.
With regard to the commenter's statement that educational
agencies and institutions do not recognize the concern for privacy
of student information, it has been our experience that the majority
of the Nation's schools do comply with FERPA and strive to protect
the privacy of information contained in student records. FERPA is
not a public open records or freedom of information statute. Rather,
the purpose of FERPA is to protect the privacy interests of parents
and eligible students in records maintained by educational agencies
and institutions on the student. These privacy concerns should not
be viewed as barriers to be minimized and overcome but important
public safeguards to be protected and strengthened.
Change: None.
[FR Doc. 04-9054 Filed 4-20-04; 8:45 am]
BILLING CODE 4000-01-P