New FERPA Regulations were issued yesterday…
Here’s the summary and effective date; read the official FERPA text for the full details.
“SUMMARY: The Secretary amends our regulations implementing the Family Educational Rights and Privacy Act (FERPA), which is section 444 of the General Education Provisions Act. These amendments are needed to implement a provision of the USA Patriot Act and the Campus Sex Crimes Prevention Act, which added new exceptions permitting the disclosure of personally identifiable information from education records without consent. The amendments also implement two U.S. Supreme Court decisions interpreting FERPA, and make necessary changes identified as a result of the Department’s experience administering FERPA and the current regulations.
These changes clarify permissible disclosures to parents of eligible students and conditions that apply to disclosures in health and safety emergencies; clarify permissible disclosures of student identifiers as directory information; allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional services and functions; revise the definitions of attendance, disclosure, education records, personally identifiable
information, and other key terms; clarify permissible redisclosures by State and Federal officials; and update investigation and enforcement provisions.
DATES: These regulations are effective January 8, 2009.”
There are some significant changes regarding how personally identifiable information (PII) may be disclosed.
The definition of PII was also changed:
“Personally Identifiable Information
The term includes, but is not limited to–
(a) The student’s name;
(b) The name of the student’s parent or other family members;
(c) The address of the student or student’s family;
(d) A personal identifier, such as the student’s social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.”
Tags: awareness and training, FERPA, Information Security, IT compliance, IT training, personal information, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training