Family Educational Rights and Privacy Act: Signed and dated written consent; electronic format,
[Federal Register: April 21, 2004 (Volume 69, Number 77)]
[Rules and Regulations]
[Page 21669-21672]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr21ap04-11]
[[Page 21669]]
Part V
Department of Education
Family Educational Rights and Privacy Act; Final Rule
[[Page 21670]]
DEPARTMENT OF EDUCATION
RIN 1855-AA00
Family Educational Rights and Privacy Act
AGENCY: Office of Innovation and Improvement; Department of Education.
ACTION: Final regulations.
SUMMARY: The Secretary amends 34 CFR part 99 to implement the Department's interpretation of the Family Educational Rights and Privacy Act (FERPA) identified through administrative experience as necessary for proper program operation. These final regulations provide general guidelines for accepting ``signed and dated written consent'' under FERPA in electronic format.
DATES: These regulations are effective May 21, 2004.
FOR FURTHER INFORMATION CONTACT: Kathleen Wolan, U.S. Department of Education, 400 Maryland Avenue, SW., room 2W115, Washington, DC 20202- 5901. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may call the Federal Information Relay Service (FIRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an alternative format (e.g., Braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION: On July 28, 2003, the Secretary published a notice of proposed rulemaking (NPRM) for this amendment in the Federal Register (68 FR 44420). In the preamble to the NPRM, we invited interested persons to submit comments concerning the proposed change. We proposed to add Sec. 99.30(d) in order to provide general guidelines for educational agencies and institutions that choose to meet the requirements of Sec. 99.30 with records and signatures in electronic format.
We reviewed guidance for electronic signatures recently published by a variety of Federal Government sources, including the Office of Management and Budget (OMB), the General Services Administration, and the National Institute for Standards and Technology. Based on that review and comments received from school officials, we believe it is necessary to modify these final regulations. We modified these regulations to reflect the definition of ``electronic signature'' established in the Government Paperwork Elimination Act (GPEA), Public Law 105-277, Title XVII, Section 1710.
Electronic signatures are an area of rapidly evolving technology. These modified regulations provide more fluid and flexible standards for schools that choose to implement a process for accepting electronic signatures. These modified regulations permit schools to take advantage of changing technology as it may become available, whether the change concerns additional security provisions or enhanced customer service.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 16 parties submitted comments on the proposed regulations. We publish an analysis of the comments and of the changes in the regulations since publication of the NPRM as an appendix at the end of these final regulations. We discuss substantive issues under the sections of the regulations to which they pertain. Generally, we do not address technical and other minor changes and suggested changes the law does not authorize the Secretary to make. However, we have reviewed these regulations since publication of the NPRM and have made changes as follows:
Acceptance of signature in electronic form (Sec. 99.30)
Comments: None.
Discussion: Electronic formats for signatures and documents are changing rapidly and substantially in response to evolving technologies and public acceptance. We wish to provide the widest possible flexibility for schools to adapt to such changes yet retain a methodology that operates within FERPA's requirements for proper disclosure of education records. Because FERPA applies to educational agencies and institutions at all levels, we do not want these regulations to inadvertently impose standards on elementary and secondary schools that may be valid only for postsecondary schools under Federal student aid programs.
Based on our review of standards acceptable to other areas of the Federal Government, including OMB circulars and Federal Student Aid (FSA) guidance for electronic student loan transactions, as well as standards established by laws such as the Electronic Signatures in Global and National Commerce Act (E-Sign) and GPEA, we believe these modified regulations will more easily permit schools to adapt to changing standards in the areas of electronic signatures and documents.
Changes: We have revised these regulations to be consistent with other Federal Government standards for ``electronic signatures.''
Executive Order 12866
We have reviewed these final regulations in accordance with Executive Order 12866. Under the terms of the order we have assessed the potential costs and benefits of this regulatory action.
The potential costs associated with these final regulations are those resulting from statutory requirements and those we have determined to be necessary for administering this program effectively and efficiently.
In assessing the potential costs and benefits--both quantitative and qualitative--of these final regulations, we have determined that the benefits of the regulations justify the costs.
Summary of Potential Costs and Benefits
We summarized the potential costs and benefits of these final regulations in the preamble to the NPRM (68 FR 44421).
Paperwork Reduction Act of 1995
These regulations do not contain any information collection requirements.
Assessment of Educational Impact
In the NPRM we requested comments on whether the proposed regulations would require transmission of information that any other agency or authority of the United States gathers or makes available.
Based on the response to the NPRM and on our review, we have determined that these final regulations do not require transmission of information that any other agency or authority of the United States gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of Education documents published in the Federal Register, in text or Adobe Portable Document Format (PDF) on the Internet at the following site: http://www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available free at this site. If you have questions about using PDF, call the U.S. Government Printing Office (GPO), toll free, at 1-888-293-6498; or in the Washington, DC, area at (202) 512-1530.
You may also find these regulations, as well as additional information about FERPA, on the following Web site: http://www.ed.gov/policy/gen/guid/fpco/index.html .
[[Page 21671]]
Note: The official version of this document is the document published in the Federal Register. Free Internet access to the official edition of the Federal Register and the Code of Federal Regulations is available on GPO Access at: http://www.gpoaccess.gov/nara/index.html .
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Education, Information, Parents, Privacy, Records, Reporting and recordkeeping requirements, Students.
Dated: April 2, 2004. Rod Paige, Secretary of Education.
0 For the reasons discussed in the preamble, the Secretary amends part 99 of title 34 of the Code of Federal Regulations as follows: 0 1. The authority citation for part 99 continues to read as follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
0 2. Section 99.30 is amended by adding a new paragraph (d) to read as follows:
Sec. 99.30 Under what conditions is prior consent required to disclose information?
* * * * *
(d) ``Signed and dated written consent'' under this part may include a record and signature in electronic form that--
(1) Identifies and authenticates a particular person as the source of the electronic consent; and
(2) Indicates such person's approval of the information contained in the electronic consent.
Appendix
Analysis of Comments and Changes
Note: The following appendix will not appear in the Code of Federal Regulations.
Use at Multiple School Levels
Comments: One commenter asked whether the proposed regulations apply only to eligible students at postsecondary institutions.
Discussion: FERPA gives the right to consent to disclosure of education records to parents of minor children at the elementary and secondary school levels, and to parents of children with disabilities who receive services under Part B or Part C of the Individuals with Disabilities Education Act (IDEA). When a student turns 18 years of age or attends a postsecondary institution at any age, the student is considered an ``eligible student'' under FERPA. The right to consent under FERPA transfers under either of those two conditions from the parent to the eligible student. Although the term ``eligible student'' will be used throughout this document, educational agencies and institutions at all levels may use these regulations to accept electronic signatures.
Change: None.
Specific Methodologies
Comments: Several commenters asked for more specific guidance on authentication methods and technologies that may be used.
Discussion: As explained in the preamble to the NPRM, the regulations are purposefully narrow in scope and intended to be technology-neutral (page 44420). While we will issue additional guidance that will include further examples of an acceptable process, we do not want to limit the flexibility of schools in this area of rapid technological change.
Change: None.
Safe Harbor
Comments: Several commenters support the use of the FSA standards for electronic signatures in electronic student loan transactions (FSA Standards) as a ``safe harbor'' provision for acceptance of electronic signatures in FERPA. Several other commenters objected to the FSA Standards as being too rigorous for the perceived level of risk of improper disclosure. The FSA Standards may be viewed on the Internet at the following site: http://www.ifap.ed.gov/dpcletters/gen0106.html.
Discussion: The preamble to the NPRM stated (page 44421) that the FSA Standards would be the ``safe harbor'' provision. A ``safe harbor'' is not set at the minimally acceptable level of security. Due to the nature of the information that may be disclosed and the potential harm a student may suffer from an unauthorized disclosure, we believe the ``safe harbor'' provision is not unduly rigorous. Schools retain the flexibility to choose to implement a system that meets the ``safe harbor'' provisions or to choose to implement another system to meet the new FERPA provisions.
However, schools should be reminded that Congress has also, through the Gramm-Leach-Bliley Act (GLB) (Pub.L. 106-102, November 12, 1999), imposed additional privacy restrictions on financial institutions, which include postsecondary institutions, requiring institutions to protect against unauthorized access to, or use of, consumer records. The Federal Trade Commission's (FTC) rule on the privacy of consumer financial information provides that postsecondary institutions that are complying with FERPA to protect the privacy of their student financial aid records will be deemed in compliance with the FTC's rule. (65 FR 33646, 33648 (May 24, 2000)). This exemption applies to notice requirements and the restrictions on a financial institution's disclosure of nonpublic personal information to nonaffiliated third parties in Title V of GLB. However, postsecondary institutions are not exempt from the FTC final rule implementing section 501 of GLB on Safeguarding Customer Information. (67 FR 368484 (May 23, 2002)). Financial institutions, including postsecondary institutions, are required to have adopted an information security program by May 23, 2003, under the FTC rule.
Thus, while schools have the maximum flexibility in choosing a system that meets FSA's ``safe harbor'' provisions or another process for authenticating Personal Identification Number (PIN) numbers under FERPA, postsecondary institutions should keep these other Federal requirements in mind when implementing such systems.
Change: None.
Applicability of FSA Standards
Comments: One commenter stated that it was confusing to apply the situations and terminology in the FSA Standards to FERPA. The commenter suggested that we issue a separate guide on FERPA standards.
Discussion: The FSA Standards do not apply directly to FERPA because some actions are imposed only on lenders or borrowers of financial aid. For example, the FSA Standards require that paper copies of transactions be provided to a student borrower at no cost in some circumstances, and lenders are required to obtain a borrower's specific consent to conduct loan transactions electronically. Neither of those circumstances has parallels within FERPA.
We agree that some circumstances within the FSA Standards do not relate directly to FERPA. While schools are not required by FERPA to follow the FSA Standards, we believe that schools may use the set-up and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA. We do not plan to issue a separate FERPA standards document, but we will clarify these items in additional guidance.
Change: None.
Use of ``Trusted Third Party'' in Identification Verification
Comments: A commenter expressed a belief that disclosure by a school of student information without prior written consent to a ``trusted third party'' as part of an identification verification process may be in violation of FERPA. This commenter stated that the conflict arises because the FSA Standards specify that the third party may not be an agent of the school.
Discussion: FSA authenticates student identification information with the Social Security Administration as a ``trusted third party.'' FERPA's consent provisions do not apply to transactions between a student and FSA.
In situations where a school is disclosing education records to a third party, FERPA's consent provisions apply. When the third party receiving the information from the school is not an agent for the school, FERPA generally requires a school to obtain prior written consent before the disclosure is made. Receipt of the prior consent would then allow a school to disclose personal information for authentication purposes with the records of independent sources such as credit reporting agencies or testing companies.
Schools may also choose to use other processes to authenticate identity. For example, a school may require the eligible student to present photographic identification issued by a government agency. Such photographic identification includes, but is not limited to, a State-issued driver's license, a federally-issued passport,
[[Page 21672]]
and other Military, Federal, or State-issued identification cards.
Change: None.
Issuing a PIN or Password
Comments: One commenter stated that schools that issue a PIN to students as outlined in the FSA Standards can result in a PIN that is recorded and accessible to school officials. The commenter is concerned that this conflicts with FERPA policy that a PIN is not acceptable for use under FERPA if persons other than the student have access to the PIN.
Discussion: The process described in the FSA Standards does not permit school officials to access a student's PIN or password. In addition, the FSA Standards permit an eligible student to change an assigned password or PIN to one of their own choosing. Under the FSA Standards, all of the passwords or PINs, whether assigned or student-selected, are maintained in a secure database in an encrypted manner that is not generally accessible to school officials or other parties.
A school that uses a similar methodology would remain in compliance with requirements for the acceptance of an electronic signature under FERPA. However, a school may not use a PIN or password process that results in a PIN or password that is visible and easily accessible to persons other than the eligible student because that type of process results in an insecure PIN or password. Schools retain the maximum flexibility to implement any appropriate methodology.
Change: None.
Use of Current Systems
Comments: Several commenters asked whether it is acceptable to use existing systems that include sign-on capability, such as campus e-mail, admissions, enrollment, and fee payment systems. Several commenters also asked if it is acceptable to permit eligible students to provide notice of directory information opt-outs by use of electronic signatures.
Discussion: As explained in the preamble to the NPRM, the requirements for an electronic signature apply in circumstances where a signed and dated written consent is required under FERPA (page 44420). Such consent is generally required under FERPA when information from education records is to be disclosed to a third party, as in the issuance of a transcript to a prospective employer. Consent is not a requirement for disclosure of an eligible student's own records to the student. A school that wishes to use its current system for situations where FERPA consent is required must determine whether it provides the required level of security.
The majority of the systems mentioned by the commenters are designed for communication between a school and an eligible student. Systems that permit eligible students to view, alter, or update the student's own records by electronic means are not the subject of these regulations. A school must ensure that the eligible student and not some other party is the receiver of the information, but the method a school uses to do so is not prescribed by these regulations.
Change: None.
Third-Party Presentation of Electronic Signature
Comments: Several commenters asked whether the proposed regulations are applicable when a third party, not the eligible student, presents the electronic signature claimed to be that of the eligible student. Two commenters expressed strong support for acceptance of electronic signatures presented by third parties, primarily when the third party is a government entity or another educational agency or institution.
Discussion: Educational agencies and institutions are responsible to ensure that education records are disclosed only in accordance with FERPA. Any disclosure of education records to a third party, even in accordance with a student's consent, is permitted but not required under FERPA. Each agency or institution must have the flexibility to decide whether a request for disclosure meets the requirements of FERPA and whether the institution wishes to make the requested disclosure.
The FERPA regulations do not require that an eligible student provide his or her consent directly to the educational agency or institution, and these regulations do not impose a different requirement for electronic signatures. We would support an agency's or institution's decision to only accept electronic signatures presented on behalf of the eligible student by certain third parties, such as Federal or State agencies.
Change: None.
Application of Standards of Other Privacy Laws
Comments: One commenter suggested that the standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule for ``protected health information'' be applied to personally identifiable information contained in students' education records. The commenter was concerned because personally identifiable information from students' education records are disclosed by educational agencies and institutions to outside third parties who have grants to do research. The commenter stated that educational agencies and institutions do not recognize the concern for privacy of such data.
Discussion: The HIPAA Privacy Rule, which is administered by the Department of Health and Human Services, excludes from the definition of ``protected health information'' two categories of records that are relevant here: ``education records'' covered by FERPA (34 CFR 99.3 ``Education records'') and records described under FERPA's medical treatment records provision (34 CFR 99.3 ``Education records''). See 45 CFR 160.103(a). The HIPAA Privacy Rule does not cover such records because Congress, through FERPA, specifically has addressed how these records should be protected. As such, FERPA provides ample protections for these records and schools should ensure that health information, as well as other education records on students, are not disclosed to outside third parties without the consent of the student or under one of the exceptions to FERPA's general prior consent rule.
With regard to the commenter's statement that educational agencies and institutions do not recognize the concern for privacy of student information, it has been our experience that the majority of the Nation's schools do comply with FERPA and strive to protect the privacy of information contained in student records. FERPA is not a public open records or freedom of information statute. Rather, the purpose of FERPA is to protect the privacy interests of parents and eligible students in records maintained by educational agencies and institutions on the student. These privacy concerns should not be viewed as barriers to be minimized and overcome but important public safeguards to be protected and strengthened.
Change: None.
[FR Doc. 04-9054 Filed 4-20-04; 8:45 am]
BILLING CODE 4000-01-P
