There are constant changes that are being directed towards colleges and universities. These changes are directed by the Family Policy Compliance Office (FPCO) under the U.S. Department of Education. The FPCO website has the most up-to-date information on new legislation pertaining to FERPA. Some of these updates as of April 2008 include the following:
- New Model Notification. A new model notification will be provided by the FPCO. It will inform students of important changes and specifically includes notice of contractors (or third party school officials) receiving access to student data.
- Electronic Signatures. PIN/Passwords/biometrics etc. can be used to indicate consent but if only known or possessed by the student.
- Disclosure to Parents. Schools are permitted to disclose information under the following exceptions: student is a dependent as defined by the IRS; student violated the law or school rules in alcohol/substance abuse; student involved in a situation whereby it becomes necessary to disclose information about him/her in order to protect health and safety of others or in an emergency.
- Health or safety emergency. Reduces risk to institutions in making disclosures under such conditions, when it is not possible to obtain a student’s consent. Removed language that required a substantial risk “strictly construed” and replaced it with “articulable risk,” etc. Now has a recordation requirement whereby institutions must document the emergency and to whom disclosed. The intent is to balance safety and privacy interests. As noted above, also includes parents as “appropriate parties.”
- Anonymity in class. When a student requests privacy and confidentiality, it does not prevent a school from identifying the student in class. Students on privacy can be listed on class rosters and called upon in class by name, etc. Spells out that privacy was not intended to allow students to be anonymous in class.
- Data breaches. Responsibility of institutions to report students to law enforcement and retrieve information; determine how breach occurred—if policies/procedures violated; implement steps to mitigate risks and safeguard against future occurrence. FPCO can investigate infractions brought to its attention. A complaint from a student is not required to initiate an investigation. New FERPA regulations encourages institutions to self-report breaches to FPCO.
- Miscellaneous. Institution IDs are not directory items. A single use User ID can be directory, if standing alone, cannot be used to access the entirety of the student’s education record. Schools must continue to honor privacy requests of former students. De-identified information can be used for research purposes not tied to the identity of students. New regulations recognize the electronic attendance of Distance Learning students; includes fraud factor that allows institutions to disclose information on transfer students who submit false documents or students who falsify documents after attending; include Patriot Act provision and Clery Act provision to report sex offenders.