AACRAO Comments on Regulatory Reform Agenda

Docket ID: ED-2017-OS-0074

On behalf of the American Association of Collegiate Registrars and Admissions Officers (AACRAO), I write to respectfully submit the following comments in response to the U.S. Education Department’s request for input on regulations that may be appropriate for repeal, replacement, or modification in accordance with Executive Order 13777, “Enforcing the Regulatory Reform Agenda.” We appreciate the opportunity to provide input and inform the Regulatory Reform Task Force’s evaluation of existing regulations and guidance that have a policy impact, particularly with regard to those impacting education records and student privacy.

AACRAO is a nonprofit association of more than 11,000 higher education admissions and registration professionals who represent approximately 2,600 institutions and agencies in the United States and more than 40 other countries. The vast majority of our individual members are campus officials with direct responsibility for admissions, recruiting, academic records, and registration functions. Because they serve as custodians of education records for current and former students, our members are particularly knowledgeable about privacy issues in general, and specifically about information security and privacy requirements of Federal and State laws. Compliance with the Family Educational Rights and Privacy Act (FERPA) has long been a primary area of professional jurisdiction for AACRAO members, who are often the leading FERPA experts on their campuses.

Since its original enactment in 1974, and through the numerous amendments, court decisions, and administrative policy revisions that have further refined that original construct over the years, AACRAO has been constructively engaged with the Department of Education to promote FERPA compliance and achieve the right balance between individual educational privacy rights and the rights of third-parties to obtain access to data for appropriate purposes.

2012 Family Educational Rights and Privacy Act (FERPA) Regulations

In 2012, the Obama Administration, through the Department, implemented regulatory amendments that dramatically expanded FERPA. (The amended regulations were published in the Federal Register on December 2, 2011, but became effective on January 3, 2012.) The amendments greatly broadened the definition of who is given access to personally identifiable information (PII) from student records on a non-consensual basis. AACRAO believes that some of the 2012 regulatory changes are unnecessary and run counter to legislative intent and plain language of the law. Additionally, most of the provisions that were adopted actually require legislative amendments to FERPA, and the Department lacks legal authority to implement them through regulatory action. The association strongly urges that the following 2012 regulatory amendments to FERPA be rescinded.

The Term "Authorized Representative" (§§99.3, 99.35)

AACRAO strongly supports the narrowing of the definition of “authorized representative” to individuals and entities under the direct control of officials designated in the statute as entitled to non-consensual access to personally identifiable information from education records. While the term was not defined in previous versions of the FERPA regulations, the common (and correct) understanding of this term was reflected in a January 30, 2003, memorandum issued by then-Deputy Secretary of Education, William D. Hansen. The memo explained that an “authorized representative” must be a party under the direct control of that authority, such as an employee or contractor, which the Hansen memo stated, was based on the Department’s understanding of the FERPA statute and Congressional statements as to its meaning. The 2012 regulatory changes inappropriately expanded this definition to anyone chosen by the designated officials.

Prior to the 2012 amendments, Section (b)(1) of FERPA conditioned receipt of any Department funds to any educational agency or institution not having a policy or practice of permitting the release of education records (or personally identifiable information (PII) other than directory information) of students without first obtaining written consent, except under very specific circumstances. One exception to this requirement is for release of education records to “authorized representatives” of the Comptroller General of the United States, the Secretary, State educational authorities, or (for law enforcement purposes) the Attorney General. 20 U.S.C. 1232g (b)(1)(C). Redisclosure of information obtained by “authorized representatives” of State educational agencies may only occur under the conditions set forth in Section (b)(3):

Provided, that except when collection of personally identifiable information is specifically authorized by Federal law, any data collected by such officials shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials....                                        

20 U.S.C. 1232g (b)(3). The statutory language makes clear that Congress intended to restrict redisclosures by such official recipients of personally identifiable information from student education records. In addition, the use of the word “officials” twice to signify who was collecting the data and releasing such data on behalf of the State educational agencies demonstrates that Congress envisioned “authorized representatives” to be employees of the State educational agencies or agents under the direct control of such employees.

The 2012 FERPA amendments, instead, advanced and counterintuitive definition of “authorized representative,” which allows “any entity or individual designated by a State or local educational authority or agency headed by an official listed in §99.31(a)(3) to conduct—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to these program.”

The effect of this extraordinarily overbroad definition is to expand the scope of who can be designated as an “authorized representative” of a State or local educational agency to entities and individuals well outside its direct control. Virtually any State or local employee can be designated an authorized representative under the regulations, no matter how remote or dubious their actual standing as an educational functionary. Nongovernmental entities, including nonprofits, religious organizations, foundations, independent researchers, and for-profit companies, as well as individuals, can also be granted access to personally identifiable information without notice or consent. This information free-for-all is unnecessarily and unjustifiably overbroad. 

In addition, the Department lacked the legal authority for abandoning its longstanding interpretation that an authorized representative must be under the direct control of the State or local agency. Without retaining the element of meaningful direct control, this definition of an authorized representative invites mischief and creates predictable data disclosure problems that Congress was clearly seeking to prevent by enacting FERPA in the first place. This broad definition of authorized representative take controls of education records away from parents and students, and hands it over to entities and individuals over whom State and local authorities have no control.

The Term "Implied Authority" (§99.35)

Prior to the 2012 amendments, 34 CFR 99.35(a)(2) provided that in order for a State or local educational authority or other agency headed by an official listed in §99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity, its authority to do so must be established under other Federal, State, or local authority because that authority is not conferred by FERPA. (Previous §99.35(a)(2) was added to the regulation on December 9, 2008.)

The 2012 regulations removed the requirement to establish legal authority under other Federal, State, or local law to conduct an audit, evaluation, or compliance or enforcement activity. The change, in effect, substituted the mere invocation of an audit or evaluation for actual authority.

This removal of the provision requiring legal authority to audit or evaluate education programs has created much confusion and noncompliance as institutions struggle to separate real claims of authority from frivolous one. AACRAO strongly urges the narrowing of the definition of “authorized representative” to close this loophole for non-consensual disclosure of education records, as well as restoring the previous provision concerning authority to audit or evaluate education programs.

The Term "Education Program" (§99.35)

AACRAO strongly urges the removal or narrowing of the definition of “education program” to programs administered by an educational agency, authority or institution. The 2012 regulations’ definition of the term includes programs not administered by educational authorities, which we believe is unnecessary and confusing.

The current definition, when combined with the current definition of “authorized representative,” permits every federal or state-supported county recreation program to be considered an education program eligible for evaluation using personally identifiable information from education records, without the evaluator needing to obtain consent from the parents or student. The new definition provides virtually unlimited access to education records in the name of evaluating program outcomes to any program evaluators that can convince an authorized representative that they are reviewing an education program, as loosely defined by the definition.

The Term "Non-Consensual Disclosure for Studies" (§99.31(a)(6))

Prior to the 2012 amendments, Section (b)(1)(F) of FERPA permitted educational agencies and institutions non-consensually to disclose personally identifiable information to organizations conducting studies “for, or on behalf of” educational agencies and institutions to improve instruction, administer student aid programs, or develop, validate, or administer predictive tests. 20 U.S.C. 1232g (b)(1)(F). 34 C.F.R. 99.31(a)(6)(ii)(C) required that an educational agency or institution enter into a written agreement with the organization conducting the study that specifies the purpose, scope, and duration of the study and the information to be disclosed and meets certain other requirements.

The 2012 regulations circumvented the statutory requirement that any disclosures of personally identifiable information under the studies exception be done “for, or on behalf of” educational agencies or institutions by allowing State or local educational authorities (or agencies headed by an official listed in 34 CFR 99.31(a)(3)) to enter into agreements with organizations conducting studies under 34 C.F.R. 99.31(a)(6)(i) and to redisclose personally identifiable information on behalf of educational agencies and institutions that provided the information in accordance with other FERPA regulatory requirements. The 2012 regulations also made the written agreement requirements and other provisions in 34 CFR 99.31(a)(6) apply to State and local educational authorities or agencies headed by an official listed in 34 CFR 99.31(a)(3), as well as educational agencies and institutions.                                                          

This vast expansion of the meaning of “non-consensual disclosure for studies” broadened the scope of both access to and redisclosure of personally identifiable information without statutory authority to do so. The change failed to mandate compliance with the most basic fair information practices by such recipients of personally identifiable information. As a result, students and families are not even aware that various and sundry data repositories of education records may have redisclosed their information to other third parties. This ill-advised amendment makes FERPA compliance unduly burdensome for institutions.

AACRAO strongly urges the restoration of the limitation on the purposes for which the research exception may be invoked, and to statutorily prohibit re-disclosure of personally identifiable information by organizations accessing education records under this exception.

Guidance on the Disclosure of Student Medical Records

On August 24, 2016 the Department issued a Dear Colleague Letter outlining its final guidance on the obligations of institutional school officials under FERPA, 20 U.S.C. 1232g and the regulations in 34 C.F.R. Part 99, to protect students' education records from disclosure without consent, and provides guidance more specifically on the disclosure of student medical records.

AACRAO supports the Department’s efforts to remind institutions of their duty to safeguard the management of students’ education records and to impose a high standard for release of those records. We agree that disclosure exceptions described in 20 U.S.C. 1232g (b), (i), and (j) and 34 C.F.R. 99.31, as referenced and outlined in the Dear Colleague Letter, serve as a reasonable and responsible guide for institutions. We are, however, concerned that one aspect of the guidance creates unnecessary confusion for well-intentioned school officials and unintended consequences for institutions as well as students.

The guidance states that, in cases where litigation occurs between the institution and the student, FERPA's school official exception to consent should be construed to offer protections that are similar to those provided to medical records in the context of litigation between a covered health care provider, such as a hospital, and a patient under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, 45 C.F.R. 164.501, 164.506, and 164.512(e).

While AACRAO favors stricter scrutiny with regards to the disclosure of student records, we are alarmed by the injection of HIPAA standards to records traditionally governed by FERPA. This recommendation conflicts with joint guidance previously issued by the Departments of Education and Health and Human Services that advises institutions to defer to FERPA when student medical records are involved. Further, the HIPAA Privacy Rule, administered by the Department of Health and Human Services, specifically excludes from the definition of protected health information education records and medical treatment records defined under FERPA (34 C.F.R. 99.3). See 45 C.F.R. 160.103. The HIPAA Privacy Rule does not cover such records because Congress, through FERPA, specifically addressed how these records should be protected. We believe that the interpolation of HIPAA standards creates unnecessary confusion among school officials with little familiarity of the health information privacy law. Under the guidance, institutions are burdened with providing training and resources for HIPAA compliance despite the fact that the disclosure exceptions under FERPA already provide sufficient safeguards to protect students’ privacy rights. In serving as good stewards of educational records, our members are historically conservative in their disclosures of student information. Thus, the guidance imposes additional compliance requirements with regard to education records without providing any additional privacy protections to students.

Additionally, AACRAO is concerned that the injection of HIPAA will have a chilling effect on the work of institutions’ campus risk assessment teams. School officials may be reluctant to share relevant student education records in the course of considering at-risk students out of fear that those disclosures would place them out of compliance with HIPAA standards. Further, institutions may be reticent to share pertinent information in the case of a campus health and safety emergency. We believe that FERPA’s exception to consent for the release of student education records, including medical records, to school officials with a legitimate educational interest, 20 U.S.C. 1232g(b)(l)(A) and 34 C.F.R. 99.3 l(a)(l)(i)(A), and to appropriate parties if a student poses an articulable and significant threat to self or the health or safety of other individuals, 34 C.F.R. 99.31(a)(10) and 99.36, provides a thoughtful and reasonable standard with which institutions comply. The guidance, as currently recommended, confuses and impedes school officials’ ability to determine when a disclosure of education records under the school officials or health or safety emergency exceptions would be appropriate.

Finally, AACRAO believes that such a substantial change in the interpretation of FERPA should not be implemented informally through a Dear Colleague Letter. The Department lacks the legal authority to rewrite FERPA without a formal regulatory review process. As a result of the reasons outlined above, we strongly urge the Task Force to recommend modifying the Department’s guidance to defer to FERPA when student medical records are involved, as the previous joint guidance advises.

2017 Family Educational Rights and Privacy Act (FERPA) Regulations

On January 19, 2017, the outgoing Obama administration issued a final rule that amended FERPA to change the name of the office designated by the Secretary to administer FERPA from the Family Policy Compliance Office (FPCO) to the Office of the Chief Privacy Officer as part of an expansion of student privacy operations at the Department.

FERPA, 20 U.S.C. 1232g(g), requires the Secretary to establish or designate an office within the Department for the purpose of investigating, processing, reviewing, and adjudicating violations and complaints. Section 99.60(b)(2) of the regulations also requires that the FERPA office “[p]rovide technical assistance to ensure compliance with the Act and this part.” Historically, institutions have worked with the FPCO on all issues related to FERPA compliance and enforcement. The change to the name of the office, as well as its functions, is unnecessary and confusing. Moreover, the Department issued the change in the Federal Register without seeking public input. In fact, the Department waived the need for a notice of proposed rulemaking because the Secretary “determined that proposed regulations are unnecessary and contrary to the public interest.” AACRAO has an interest in what the Department does with regard to FERPA and to FPCO, and would like to have had an opportunity to comment on the proposed change.

AACRAO strongly urges the Department to rescind the January 19, 2017 regulatory changes and restore FPCO and its Director as the office designated to administer FERPA in all aspects.

The association would like to thank you for your consideration of our views regarding existing regulations and guidance. We appreciate the Department’s willingness to work with the higher education community and stand ready to work with you to advance the interests of our nation’s students.

Sincerely,

Michael V. Reilly

Executive Director