April 16, 2004
Mrs. Carol H. Fuller
Assistant Vice President for Research and Policy Analysis
National Association of Independent Colleges and Universities
1025 Connecticut Avenue, NW
Washington, DC 20036-5405
Dear Mrs. Fuller:
This is in response to your letter in which you ask the Family Policy Compliance Office (Office) for clarification of the requirements of the Family Educational Rights and Privacy Act (FERPA) as they relate to institutions of higher education that use the National Student Clearinghouse (NSC) Degree Verify service.
As a matter of background, institutions of higher education have certain Federal reporting requirements on their students that relate to graduation rates. Institutions can contract with NSC to obtain information that helps them calculate these rates. NSC's Degree Verify Service appears to work as follows: For University A that has a contract with NSC for its Degree Verify Service, any third party can contact NSC directly to inquire whether or not a particular student graduated from University A. The third party, or requester, must have the student's prior written consent in order for NSC to provide this information to the requester because the requester must provide the student's social security number (SSN) (i.e., non-directory information) in order to use the Degree Verify Service.
You now seek additional guidance on whether University A, in the example above, would also need the prior written consent of an eligible student before University A, acting as the requester, uses the NSC Degree Verify Service to obtain degree and enrollment information about that student from another school. Specifically, you are concerned that instead of submitting directory information, as is required by NSC's EnrollmentSearch Service , schools may be submitting personally identifiable information from education records in the form of student SSNs to NSC's Degree Verify Service. As explained below, a school may not submit personally identifiable information from a student's education records, such as a SSN, to NSC's Degree Verify Service in order to obtain information contained in education records of the student that are maintained by, or on behalf of, another school.
FERPA protects the privacy interests of parents in their children's "education records," and generally prohibits the disclosure of education records, or personally identifiable information from education records, without the prior written consent of the parent or eligible student. When a student reaches the age of 18 or attends an institution of postsecondary education, the student is considered an "eligible student," and all of the rights afforded by FERPA transfer from the parents to the student. 34 CFR § 99.3 "Eligible student."
The term "education records" is defined as all records, files, documents and other materials which:
contain information directly related to a student; and are maintained by the educational agency or institution or by a person acting for such agency or institution.
20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3 "Education records."
As we understand it, NSC maintains education records on behalf of certain schools that have contracted with NSC to provide enrollment and degree verification services for such schools. This Office has previously advised schools that they may use outside entities, such as NSC, to provide verification services consistent with the requirements of 34 CFR §99.31(a) and §99.7(a)(3)(iii). FERPA contains an exemption to the prior written consent requirement that permits an educational agency or institution to disclose personally identifiable information from education records to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests. 34 CFR § 99.31(a)(1). Thus, an organization such as NSC, by virtue of a contractual relationship with an educational agency or institution, may be considered a school official with legitimate educational interests under 34 CFR §99.31(a)(1) subject to the provisions of 34 CFR §99.7(a)(3)(iii).
Under 34 CFR §99.7(a)(3)(iii), a school must include in its annual notification of rights under FERPA a statement indicating whether it has a policy of disclosing personally identifiable information under § 99.31(a)(1) and, if so, a specification of the criteria for determining who constitutes a school official and what constitutes a legitimate educational interest. Accordingly, if a school has included in its annual notification of rights under FERPA criteria that support the designation of an organization such as NSC as a school official with a legitimate educational interest, then FERPA would permit the educational institution to disclose personally identifiable information from education records to NSC without the signed and dated written consent of the student in order that NSC can carry out its job function of providing degree/enrollment verification information to outside requesters. However, for the reasons outlined below, in order for NSC to disclose personally identifiable information from education records to a third party requester, the student must provide his or her prior written consent authorizing the disclosure.
As you know, one of the exceptions to the prior written consent rule allows schools to disclose properly designated "directory information" without an eligible student's prior written consent. See 34 CFR §§ 99.31(a)(11) and 99.37. FERPA defines directory information as information contained in an education record that would not generally be considered harmful or an invasion of privacy if disclosed. 20 U.S.C. § 1232g(a)(5)(A); 34 CFR § 99.3. Directory information includes, but is not limited to, information such as name, address, dates of attendance, degree obtained, grade level, photograph, student status (full-time, part-time, undergraduate, graduate), telephone number, date and place of birth, and participation in officially recognized activities and sports. "Dates of attendance," as defined in § 99.3 of the FERPA regulations, and revised in a final rule issued on July 6, 2000, means:
(a) The period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter.
(b) The term does not include specific daily records of a student's attendance at an educational agency or institution.
"Directory information" may not include the student's social security number (SSN) or other student identification number. Moreover, schools (and their contractors) must honor a student's decision to opt-out of the disclosure of directory information under 34 CFR § 99.37.
While degree and enrollment status may be designated and disclosed as directory information, there is no exception to the prior written consent rule that allows disclosure of non-directory, personally identifiable information such as a SSN from a student's education records to confirm or verify a student's degree or enrollment status. It is our understanding that a requester who uses NSC's Degree Verify service has prior, written consent from the student permitting access to information in education records maintained by NSC on behalf of a school. In other words, this prior written consent would permit NSC to match the student's SSN in its database with the SSN submitted by the requester for identification purposes incident to a search of its database for purposes of providing degree or enrollment verification information. However, if an eligible student has not provided the requester with prior written consent for the disclosure of personally identifiable information from education records, then NSC cannot match the student's SSN in its database with the SSN submitted by the requester.
This Office has previously advised schools that unless an eligible student provides signed and dated written consent permitting a school to release personally identifiable information, a school may not use personally identifiable information from education records to confirm or verify any information contained in education records of that eligible student that are maintained by another school or by a contractor acting on behalf of another school. Specifically, we believe that the confirmation or verification of personally identifiable information such as a SSN in a student's education records in and of itself constitutes a prohibited disclosure of personally identifiable information under FERPA. For example, on March 10, 1999, this Office determined that a local school district in Newcastle, Kentucky violated FERPA when a school official confirmed certain personally identifiable information about a student that a newspaper reporter had obtained from outside sources.
Applying these rules to your inquiry, if a requester enters a student's SSN into NSC's Degree Verify website, and NCS uses the SSN to identify the student and find matching enrollment or degree information, than NSC may not release the enrollment or degree information unless the student has provided prior written consent for the disclosure. Even though enrollment and degree information may be designated and disclosed as directory information, the use of personally identifiable non-directory information (the SSN) to identify the student constitutes an impermissible disclosure of the SSN when NSC returns matching directory information to the requester. Therefore, absent prior written consent of the student, NSC may only use "directory information," such as name and date of birth (not the student's SSN) to identify the student and search its database for matching information for purposes of providing degree or enrollment verification and only for those students who did not opt out of the disclosure of directory information.
This analysis applies to verification services that NSC, or other contractors, may provide for schools and covers education records of current, as well as former, students. Thus, for each requester that submits the student's SSN, or other personally identifiable information, to NSC to obtain enrollment or degree verification, the student must have provided his or her signed and dated written consent authorizing the disclosure. Moreover, this requirement applies to all requesters, including educational agencies and institutions and their contractors.
Finally, if this Office received a complaint from an eligible student (former or current) that NSC improperly disclosed personally identifiable information from their education records to a school or other requester seeking enrollment or degree verification information without the student's signed and dated written consent, than the focus of our investigation would begin with the school that provided NSC with the education records, or access thereto, in the first place.
Should you have further questions regarding this issue, or FERPA in general, please do not hesitate to contact this Office.
LeRoy S. Rooker
Family Policy Compliance Office