Discussion List for campus-based and allied personnel working to end gender-based violence on campus.

["Linda Langford" <>]

Dear Colleagues,
 
The Chronicle article below links to the Federal Register information about 
the new FERPA rules (also available in pdf format here: 
http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf). The 
289-page guide referred to in the article doesn't seem to be posted yet.
 
Best Regards,
Linda Langford
 
 
 
Linda Langford, Sc.D.
Associate Center Director, Higher Education Center for Alcohol and Other Drug 
Abuse and Violence Prevention
www.HigherEdCenter.org
55 Chapel Street, Newton, MA  02458-1060
voice (800) 676-1730 x2719 OR (617) 618-2719 (direct line)
fax (617) 928-1537

________________________________

From:  
http://chronicle.com/daily/2008/12/8210n.htm?utm_source=at&utm_medium=en

Education Dept. Releases New Rules on Student-Privacy Law, Giving Colleges 
More Room for Judgment

By SARA LIPKA 
<mailto:>
  

Washington

More regulations may expand the thicket of student-privacy law, but the U.S. 
Department of Education hopes a new 289-page guide 
<http://edocket.access.gpo.gov/2008/E8-28864.htm>  will help colleges and 
universities find their way.

The Education Department plans to release today its new rules on the Family 
Educational Rights and Privacy Act, which protects the disclosure of student 
records. After announcing initial regulations in March, the department 
received more than 120 comments from higher-education associations, 
university systems, and other groups, and postponed the final publication 
originally slated for September.

The regulations do not revolutionize the law, which is known as Ferpa or the 
Buckley Amendment, but they update and clarify some of its thorniest parts.

After the mass-shootings at Virginia Tech in April 2007, investigations 
revealed widespread views of Ferpa as a muzzle that prevented faculty and 
staff members from sharing information about potentially troubled students. 
Today the Education Department roundly dispels that impression. 

The new rules-which consolidate and expand upon guidance the department has 
issued to individual institutions over the past several years-also discuss 
two recent U.S. Supreme Court decisions involving Ferpa, changes in related 
laws like the USA Patriot Act, and trends in information technology and 
university administration. In a lengthy preamble, department officials 
meticulously explain their reasoning and diction. 

Responding to dozens of subtle qualms, the Education Department "added a 
great deal of discussion and interpretation that fills in some of those 
question marks," Steven J. McDonald, general counsel of the Rhode Island 
School of Design and a national expert on Ferpa, said on Monday. The 
regulations' more-explicit deference to college officials' judgment of what 
constitutes an emergency, as well as what information to disclose in that 
situation, and to whom, comes as an "enormous relief," he said. 

"People can now make decisions based on what they think is the right thing to 
do, rather than an unwarranted fear of liability," Mr. McDonald said. 

'Rational Basis' for Disclosures

There is no color-coded threat-level scale for campus crises. But the 
Education Department had previously implied that safety could trump privacy 
only in dire situations. 

Colleges should make "narrowly tailored" disclosures only when a "specific 
situation presents imminent danger or threat," LeRoy S. Rooker, director of 
the department's Family Policy Compliance Office, wrote in a letter of 
guidance to the Alabama Department of Education in 2004. He gave a few 
examples, including terrorist attacks and polio outbreaks.

In the wake of the tragedy at Virginia Tech, many observers wondered why 
professors and administrators hadn't shared concerns earlier about the 
disturbing behavior of the gunman, Seung-Hui Cho. 

Before and after the shootings at Virginia Tech, the Education Department 
made more room for disclosures of student information, but the new 
regulations go further. They strike the "strict construction" standard that, 
in existing regulations, had defined an emergency. Under the new rules, 
colleges may disclose information about someone "if there is an articulable 
and significant threat to the health or safety of the student or other 
individuals."

Ferpa experts were already promoting that interpretation of the law, but the 
shift in the new regulations is vital, said Peter F. Lake, director of the 
Center for Excellence in Higher Education Law and Policy at Stetson 
University.

"This undoes an entire era of regulatory approach to Ferpa, and it's none too 
soon," Mr. Lake said on Monday. "These new regulations are much more 
consistent with original Congressional intent and give a lot more flexibility 
to higher-education administrations to engage in reasonable efforts to 
protect their campuses and students." 

The new regulations impose a "rational basis" test on colleges' decisions to 
disclose information in emergency situations. "The Department will not 
substitute its judgment for that of the agency or institution if, based on 
the information available at the time ... there is a rational basis for the 
agency's or institution's determination that a health or safety emergency 
exists," the introduction says.

The message there should be clear, Mr. Rooker said on Monday.

"We wanted to strike that balance between privacy and safety and certainly 
emphasize that safety on a campus is paramount," he said. "As long as you can 
articulate what that emergency was, we're not going to be in the business of 
second-guessing you on that."

Still, according to the new rules, administrators must document what 
emergency circumstances prompted their decision to disclose information. That 
record may serve as a rationale to curious students and parents, as well as 
to the Education Department, the preamble says.

'Direct Control' Over Contractors

Another area of focus in the new regulations is the role of contractors in 
protecting students' privacy. As colleges have outsourced so many student 
services, third parties' relationship with Ferpa has remained murky.

In March, the Education Department said those contractors had to be under 
institutions' "direct control" to be eligible for access to protected student 
information. Several comments on the proposed regulations questioned the 
meaning of that phrase or suggested deleting it.

The final rules preserve the phrase "direct control," but the introduction 
explains that the standard is not as strict as it sounds. Contracts with 
third parties who handle student information must reflect that the 
information is owned by the institutions and governed by Ferpa, the 
regulations say. Those contracts may even specify a penalty for misusing 
student records, Mr. Rooker said.

That explanation will probably satisfy college officials who had worried 
about how much supervision the Education Department expected of them, said 
Ada Meloy, general counsel of the American Council on Education, which 
challenged that point in its comment on the proposed rules.

"You don't actually have to be in their office controlling everything they 
do," Ms. Meloy said.

Among the other updates and revisions in the new regulations is one 
concerning what information may be included in colleges' directories. The 
proposed regulations had restricted the use of student identification 
numbers, which they equated with Social Security numbers. But in response to 
many comments arguing that ID numbers do not unlock further information the 
way Social Security numbers do, the new regulations do allow ID numbers in 
directories. Removing those numbers would have wreaked havoc on many 
campuses' information-technology systems, experts said. 

The new regulations also specify that colleges cannot require students to 
sign confidentiality pledges if, as victims of sexual assault, they are 
informed of the results of disciplinary proceedings against their assailants. 
That provision conforms with the Education Department's finding in a recent 
case involving the University of Virginia. 

The rules released today speak to many other groups and situations. They 
establish that online students are protected under Ferpa. They allow 
different colleges to share information-not just related to admissions 
decisions-about students who transfer. They clarify Ferpa's "study 
exception," spelling out what must be included in agreements between 
institutions and groups conducting research with student data. And they 
stipulate how student records scrubbed of identifying information can be 
released, a matter now pending between the University of North Dakota and 
that state's attorney general.

Effective in 30 Days

The new regulations will send campuses scrambling during a busy season: They 
take effect in 30 days. 

Ms. Meloy fretted over that. "It's very difficult," she said, "for 
institutions to just turn on a dime."

But the new rules may require colleges to do more in the way of thorough 
reviews and revisions than in making sweeping changes.

"We'll certainly need to be looking at these [regulations] and thinking about 
steps we need to take," Mr. McDonald, of the Rhode Island School of Design, 
said. For example, colleges will have to develop policies to document their 
decisions about what constitutes an emergency, he said. And they may need to 
create systems for sharing information with institutions to or from which 
students have transferred.

Mr. Rooker said that colleges should consider the Education Department a 
partner as these rules take effect. 

"We cover a lot of ground in these regs. That's why there are so many pages," 
he said. "We are anticipating a lot of follow-up questions."

The provisions regarding contractors may be a hot area, experts said on 
Monday. For example, the new regulations mention the outsourcing of students' 
e-mail accounts to Microsoft and Google, but they do not give specific 
guidance on those arrangements.

Still, colleges shouldn't panic over the 30-day clock, Mr. Rooker said. 
"We're not going to be out there on Day 31 trying to find institutions that 
didn't comply in some form," he said. "We would want to be out there helping 
them understand."

Over all, the regulations struck some experts as collaborative in tone. While 
some government regulations scold practitioners and slam doors, these largely 
give colleges the benefit of the doubt, said Mr. Lake, of the 
higher-education-law center.

"A lot of lawyers are going to tell their clients, Well, this is great," he 
said. "There's a feeling of trust."

Indeed, the introduction to the new rules acknowledges administrators' hard 
work. "Educational agencies and institutions face considerable challenges, 
especially with regard to maintaining safe campuses, protecting personally 
identifiable information in students' education records, and responding to 
requests for data on student progress," it says.

Mr. Lake thinks that approach bodes well. "The day-to-day administrator ... 
the person who's always been out there operating in good faith," he said, 
"can breathe deeper tomorrow."

Copyright <http://chronicle.com/help/copyright.htm>  © 2008 by The Chronicle 
of Higher Education <http://chronicle.com/>