The U.S. Department of Education (“Department”) recently announced an important change in the way it will enforce the Family Educational Rights and Privacy Act (“FERPA”). Instead of opening a formal investigation regarding each valid FERPA complaint – a practice that contributed to severe backlogs in the Department’s FERPA case file – the Department will now dedicate investigatory resources to the highest-risk issues and take a less formal, more collaborative approach for other cases.
The Department will assess risk based, in part, on the number of students who could be affected by the identified issue. Schools, online program management companies (“OPMs”), and other education-related companies should expect that the Department will now spend more time reviewing entities’ FERPA policies, because each policy can impact many students.
Background on FERPA Enforcement Procedures
The Secretary of Education is required by statute to “take appropriate actions to enforce [FERPA] and to deal with violations of [FERPA].”1 The Department’s FERPA enforcement procedures include the following aspects:
- A parent or eligible student may file a written complaint with the Department regarding an alleged violation of FERPA.2 The complaint must be timely3 and it must contain specific allegations of fact giving reasonable cause to believe that a FERPA violation has occurred.4 Otherwise, the Department notifies the complainant that it will not initiate an investigation because the complaint failed to meet these requirements.5
- When the Department initiates an investigation, it provides written notice to the complainant and entity being investigated.6 This notice typically requires the entity to provide a written response, including information regarding the entity’s FERPA policies.7
- Upon conclusion of the investigation, the Department provides a written notice of its findings to the complainant and the entity.8 The notice includes a statement of the steps that the entity must take to comply with FERPA and states the period of time during which the entity may comply voluntarily.9 If an entity does not comply by this deadline, the Department may take an enforcement action, such as withholding further payments under a Department program, issuing a complaint to compel compliance through a cease and desist order, or terminating eligibility to receive funding under a Department program.10
These enforcement procedures are memorialized in the Department’s regulations. As discussed below, the Department recently clarified that these regulations do not require formal investigation of all complaints.
OIG Identifies Backlog of Unresolved FERPA Complaints
On November 26, 2018, the Office of Inspector General (“OIG”) issued a report concluding that the Department “did not have controls to ensure that it timely and effectively processed FERPA complaints.”11 The lack of such controls, according to the OIG, led to a substantial backlog of FERPA complaints. For example, as of May 2018, 344 FERPA investigations remained open. Considering the Department had closed only 24 investigations in fiscal year 2017, “the inventory of 344 open investigations would amount to a backlog of far greater than 2 years.”12
The OIG recommended that the Department take several actions to begin reducing the backlog and improve the processing of FERPA complaints. These included a recommendation that the Department “design and implement a risk-based approach to processing and resolving FERPA complaints, where complaints deemed highest risk are prioritized.”13 The Department agreed that a risk-based approach to processing and resolving FERPA complaints should be designed and implemented14 and, as explained below, issued a guidance document describing how this would impact its FERPA enforcement procedures.
Department Modifies FERPA Investigatory Practices
On December 20, 2018, the Department issued a guidance document titled Improving the Effectiveness and Efficiency of FERPA Enforcement. The Department acknowledges in this document that, up to this point, the Department opened formal investigations regarding all complaints that were timely and contained specific allegations of fact giving reasonable cause to believe a FERPA violation occurred. The Department states this practice was not required by the Department’s FERPA regulations and, moreover, contributed to lengthy processing times.
On the basis of its interpretation that neither the statute nor the regulations require formal investigation of all complaints, the Department announced a new risk-based approach under which it will “make a case-by-case determination for every timely complaint to determine the best mechanism for resolving the underlying situation.”15 It appears the Department will use three different “mechanisms”: (1) acting as an intermediary; (2) providing resolution assistance; and (3) conducting formal investigation.
- The Department will act as an intermediary when it receives complaints that are time-sensitive and yet do not implicate substantial noncompliance and/or large cohorts of students. As an example, the Department cited complaints regarding a student’s right to access or amend records. These complaints “are often the most time-sensitive from the perspective of reducing potential harm to the student, and these complaints are frequently the result of a simple misunderstanding of FERPA’s requirements.”16
- The Department will provide resolution assistance when it receives complaints regarding isolated incidents of inadvertent or accidental disclosures of FERPA-protected information. The Department noted that the most effective response in these situations is to provide technical assistance to the school or entity.
- The Department will still conduct formal investigations where necessary to enforce rights and resolve violations based “on the severity of risk to student privacy, the number of students affected, [and] other relevant factors.”17 It appears formal investigations will be used, for example, when an entity’s FERPA policies may be deficient, potentially impacting the FERPA rights of many students.
Potential Implications for Schools, OPMs, and other Education Companies
By ending formal investigations regarding minor FERPA issues, the Department aims to reduce its complaint backlog, conduct more Department-initiated investigations,18 and focus on noncompliance that poses the highest risk to student privacy. As a deficient institutional FERPA policy impacts all students who are subject to the policy, the Department is likely to consider such problems as high-risk and deserving of formal investigation. Thus, schools and other entities should consider redoubling efforts to review policies for compliance.
Schools and other entities also should expect to have more frequent contact with the Department regarding student privacy issues. When the Department acts as an intermediary or provides resolution assistance, it may call and/or email rather than using formal notification letters. Schools and other entities should consider preparing staff for these informal – and perhaps unanticipated – interactions by deciding in advance which employees should be in contact with the Department and providing FERPA training to these employees as necessary.
1 20 U.S.C. § 1232g(f).
2 34 C.F.R. § 99.63.
3 34 C.F.R. § 99.64(c) (“A timely complaint is defined as an allegation of a violation of the Act that is submitted to the Office within 180 days of the date of the alleged violation or of the date that the complainant knew or reasonably should have known of the alleged violation.”).
4 34 C.F.R. § 99.64(a).
5 34 C.F.R. § 99.65(b).
6 34 C.F.R. § 99.65(a).
7 34 C.F.R. § 99.65(a)(2).
8 34 C.F.R. § 99.66(b).
9 34 C.F.R. § 99.66(c).
10 34 C.F.R. § 99.67(a).
11 U.S. Department of Education, Office of Inspector General, “Office of the Chief Privacy Officer’s Processing of Family Educational Rights and Privacy Act Complaints,” ED-OIG/A09R0008, pp. 5 (November 26, 2018) (ED IG Rep.). The OIG began studying this issue in 2017, when the OIG’s Annual Plan identified as “new priority work” the review of the Department’s administration of FERPA, including whether the agency was appropriately processing and resolving complaints alleging FERPA violations.
12 ED IG Rep., pp. 13-14. The OIG characterized the backlog in this way because the Department had originally estimated that the backlog was approximately two years.
13 ED IG Rep., pp. 29-30.
14 ED IG Rep., pp. 42.
15 Improving the Effectiveness and Efficiency of FERPA Enforcement, U.S. Dep’t of Educ., Office of Mgmt., Guidance Letter (December 20, 2018), pp. 2 (Guidance Ltr.).
16 Guidance Ltr., pp. 2.
17 Guidance Ltr., pp. 3, quoting the ED IG Rep.
18 ED IG Rep., pp. 43 (“The Compliance Office is optimistic that as process improvements are implemented (including those discussed in our response to Recommendation 1.7), it will conduct more self-initiated investigations.”).