Docket ID: ED-2017-OS-0074

On behalf of the [insert name of institution/State or regional AACRAO member], I write to respectfully submit the following comments in response to the U.S. Education Department’s request for input on regulations that may be appropriate for repeal, replacement, or modification in accordance with Executive Order 13777, “Enforcing the Regulatory Reform Agenda.” We appreciate the opportunity to provide input to inform the Regulatory Reform Task Force’s evaluation of existing regulations and guidance that have a policy impact, particularly with regard to those impacting education records and student privacy.

As a member of the American Association of Collegiate Registrars and Admissions Officers (AACRAO), a nonprofit association representing campus officials that serve as custodians of education records for current and former students, [insert name of institution/State or regional AACRAO member] is particularly concerned about privacy issues in general, and specifically about information security and privacy requirements of Federal and State laws.

Correcting Certain Provisions Created by 2012 Regulations
In 2012, the Obama Administration, through the Department of Education, implemented regulatory amendments that dramatically expanded Family Educational Rights and Privacy Act (FERPA). The amendments greatly broadened the definition of who is given access to personally identifiable information (PII) from student records on a nonconsensual basis. [insert name of institution/State or regional AACRAO member] strongly urges that the following 2012 regulatory amendments to FERPA be rescinded.

The Term "Authorized Representative"

  • The 2012 regulations inappropriately expanded the definition of "Authorized Representative" to anyone chosen by the designated official.
  • We believe that the definition "Authorized Representative" should be restored to its previous definition of "individuals and entities under direct control of officials" as designated in the original statute.

The Term "Implied Authority"

  • The 2012 regulations also overreached on the definition of "Implied Authority" to audit programs and have created much confusion, and lacks legal precedent.
  • We urge the Task Force to close this loophole for non-consensual disclosure of education records.

The Term "Education Program"

  • The 2012 regulations vastly widened this definition to include programs not administered by educational authorities.
  • We believe that the definition of "Education Programs" should revert back to the original definition of "programs administered by an educational agency or institution."

The Term "Non-Consensual Disclosure for Studies"

  • The 2012 regulations expanded the meaning of non-consensual disclosure of personal information from education records to organization conducting "for, or on behalf of" educational agencies or institutions.
  • We strongly urge the restoration of the limitation on the purposes for which the research exception may be invoked, and to statutorily prohibit re-disclosure of personally identifiable information by organizations accessing education records under this exception.

Guidance on the Disclosure of Student Medical Records

On August 24, 2016 the Department of Education issued a Dear Colleague Letter outlining its final guidance on the obligations of institutional school officials under FERPA, 20 U.S.C. 1232g and the regulations in 34 C.F.R. Part 99, to protect students' education records from disclosure without consent, and provides guidance more specifically on the disclosure of student medical records.

The guidance reviewed and clarified the agency's views regarding the protections applicable to student medical records, specifically in cases where litigation occurs between the institution and the student. The letter advised colleges to handle the privacy of student medical records under FERPA similarly to the way health care providers and hospitals are required to treat such records. While [insert name of institution/State or regional AACRAO member] favors stricter scrutiny with regards to the disclosure of student record, we are concerned that the injection of Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule standards to records traditionally governed by FERPA creates unnecessary confusion for well-intentioned school officials and unintended consequences for institutions as well as students.

We strongly urge that the Task Force modify the Department’s guidance to defer to FERPA when student medical records are involved, as previous joint guidance advises.

2017 Changes to the Family Policy Compliance Office (FPCO)

On January 19, 2017, the outgoing Obama administration issued a final rule that amended FERPA to change the name of the office designated enforcement functions by the Secretary from the Family Policy Compliance Office (FPCO) to the Office of the Chief Privacy Officer as part of an expansion of student privacy operations at the Department.

Historically, institutions have worked with the FPCO on all issues related to FERPA compliance and enforcement. The change to the name of the office, as well as its functions, is unnecessary and confusing. Moreover, the Department issued the change in the Federal Register without seeking public input. In fact, the Department waived the need for a notice of proposed rulemaking because the Secretary “determined that proposed regulations are unnecessary and contrary to the public interest.”

We strongly urge the Department to rescind this regulatory change and restore FPCO and its Director as the office designated to administer FERPA in all aspects.

[insert name of institution/State or regional AACRAO member] would like to thank you for your consideration of our views regarding existing regulations and guidance. We appreciate the Department’s willingness to work with the higher education community and stand ready to work with you to advance the interests of our nation’s students.




[insert name of campus official/State or regional officer]

[insert name of institution/State or regional AACRAO member]