The Department of Education has amended the implementing regulations for the Family Educational Rights and Privacy Act (“FERPA”).  According to the Department, the new regulations are intended to “safeguard student privacy while giving states the flexibility to share school data.”   

Among other things, the new regulations:

  • Make it easier for educational authorities to share educational records in order to carry out audits, evaluations, or enforcement or compliance activities relating to education programs. A written agreement must be in place to govern the use and protection of the disclosed information.  In addition, reasonable efforts must be used to ensure that authorized representative receiving the records is FERPA-compliant to the greatest extent practicable.   
  • Make it easier to share educational records with organizations conducting research studies for, or on behalf of, educational agencies.  The existing FERPA regulations already require that the parties execute a written agreement when disclosing educational records under this “studies exception.”  
  • Recommend best practices for written agreements.  In its accompanying guidance, the Department identified and discussed best practices for written agreements, such as binding individuals, not just the entity, to the agreement; agreeing on use limitations; prohibiting redisclosures; identifying data custodians; identifying penalties; setting terms for data destruction; maintaining a right to audit; and having a data breach plan.
  • Recommend best practices for ensuring compliance by authorized representatives that receive educational records.  Some of the best practices identified by the Department include verifying the existence of disciplinary policies to protect data; verifying the existence of a data security plan; verifying the existence of a data stewardship program; conducting background investigations of employees who will have access to educational records; and verifying training.
  • Clarify the scope of the Department’s enforcement authority.  The regulations make clear that the Department has the authority to investigate and enforce alleged FERPA violations committed by any recipient of Department funds under a program administered by the Secretary — including nonprofit organizations, student loan lenders, and student loan guaranty agencies.  

The changes will become effective on January 3, 2012.  For written agreements that are already in place prior to the effective date, the new requirements will be triggered when the agreements are renewed or amended.