Webinar | FERPA and IDEA Privacy Requirements: 101 for Parent Centers

Webinar | FERPA and IDEA Privacy Requirements: 101 for Parent Centers


– [Announcer] Broadcast is now starting. All attendees are in listen only mode. – [Myriam] Good afternoon every– – [Announcer] Muted, unmuted. – [Myriam] My name is Myriam Alizo, and I would like to welcome
you to today’s webinar. Before we get started, I would like to go over a few items so you know know how to
participate in today’s event, which is FERPA and IDEA Privacy Requirements 101 for Parent Centers. You will notice on your screen a screenshot of an example of
the go to webinar interface. You should see something
that looks like this on your computer desktop
in the upper right corner. You are listening in using
your computer’s speaker system by default. To the right of the go to
webinar PowerPoint viewer is a go to webinar control panel. This is where you have the option to select the way to hear the webinar, raise your hand, and
ask questions by text. You will have the opportunity to submit text questions
to today’s presenters by typing your questions into
the questions for staff pane of the control panel. You may send in your questions at any time during the presentation. We will collect these and address them during the Q and A session at the end of today’s presentation. You can also download the
webinar handout and the slides. They are available to you. Then I pass the torch to Carmen Sanchez. – [Carmen] Hello Parent
Centers, this is Carmen Sanchez. I’m either your project officer, but I’m also the Parent
Center program lead here at the Office of Special
Education Programs. So this is one of the
roughly quarterly webinars we have with you around
topics that are of interest to the entire Parent Center network, and one of the questions
that we’re asked quite a bit were having to do with
both the FERPA requirements and whether not they apply
to our parent centers, but also just the FERPA
requirements generally and families and also some of the IDEA
privacy requirements. So because of that we’ve gotten some, we have two colleagues here
from the Department of Education who are going to address both of them during this presentation. They are Frank Miller, who is acting deputy in the
Student Privacy Policy Office, and Kala Shah Surprenant, who is general counsel in the office, I mean, she’ll explain her title in the Office of General Counsel. We’re going to discuss these
very important topics with you, and then we’ll go over
some of your questions. I also just want to draw
your attention to the fact that you can download
the FERPA presentations as Myriam pointed out in the handouts, but they are in Adobe Acrobat because they cannot be changed. We know that they are legally sufficient in the way that they’re written right now, but we cannot have you change any of that. But you’re free to use them, and you’re free to use
them with your families. So, without any further ado, let me turn it over to Frank and Kala to present this presentation on the
FERPA and IDEA privacy rights. Thank you. – [Frank] Good afternoon. This is Frank Miller. I am the deputy director in the Student Privacy Policy office. This is a relatively
new name for our office. For years we have been known as the Family Policy Compliance office, so I’m glad you were able to
spend your afternoon with me as we discuss IDEA and FERPA, and I’ll turn it over to Kala
so she can introduce herself. – [Kala] Thanks Frank. This is Kala Shah Surprenant, Senior Counsel in the Office
of the General Counsel. I’ve been with the department, U.S. Department of Education
for almost 20 years, and have spent a lot of time answering questions about IDEA, worked on both IDEA parts B and C. I work on other matters as
well for the department, but one area that has been
of critical interest to me is the area of privacy
and confidentiality, so we look forward to
the presentation today. Next slide. – [Frank] So this
afternoon we hope to cover a couple different things. As you can see, we’re gonna to talk about three different statutes. IDEA Part C, Part B, and FERPA, and we’re gonna talk about how
there are some similarities between the three statutes,
how they’re slightly different, and how you can kind of read them together as you answer questions that may come up during your normal course of business. Next slide please. This just kind of reiterates
what I said before. So, you’re gonna see, we’re gonna walk through several
sections of the statutes, we’ll break them out and address them, and kind of show the
commonalities, the differences, and then how we can work together to resolve some of the conflicts as you read the two together. I’m gonna turn it over to Kala now. She’s gonna kind of give us
a little bit of a background of who we are per se. Next slide, and Kala? – [Kala] Thanks Frank. So, our oldest privacy statute
in the educational arena is FERPA, and FERPA was enacted in 1974, last major set of regulations in 2011. IDEA Part B has been around since 1975, obviously then referred to as the education for handicapped act, and in 1986, IDEA was further amended to add the early intervention
and preschool programs. The last major set of IDEA
Part C regulations, in 2011, added for the first time, separate confidentiality provisions that expressly applied to
early intervention programs. Prior to that time, the Part C program
cross referenced Part B, which then cross referenced
the FERPA regulation, and there were some unique twists, and it was very complicated for the early intervention
programs to apply the rules. So our statutes have been around
for a long period of time, they predate the internet, they predate a lot of the
technology and privacy issues that we encounter today, and our regulations, while updated, haven’t been amended
primarily really since 2011. Next slide please. And then as you can see
the world has changed a lot since IDEA was initially enacted in 1986. Next slide. In fact, even in 1975
things were quite different. I still remember seeing Jaws as a child, being sim-prim-in-ally traumatized, but at the same time, you know, the kinds of issues at
schools, and teachers, and of course ae-row-in-en-chent programs weren’t even a federal program back then, kinds of issues they
faced were very different. Next slide please. And of course FERPA is our
oldest privacy statute. In the time that, when
FERPA was initially enacted, and IDEA was enacted after that, congress was cognizant that
there would be differences between the two statutes because of FERPA’s applicability
being different from IDEA. FERPA applies to educational
agencies and institutions that receive federal funding from the US department of education, whereas IDEA applies to either
children with disabilities of a certain age group, or young
children with disabilities. Next slide please. So these are where the
three statutes are located, and the citations are here if you need to refer back to this. As I mentioned, FERPA is the oldest, and after IDEA was enacted, the secretary of the US
department of education, under section 617 of IDEA, was directed to identify and implement regulations that would be consistent with FERPA. So we try to read the
statutes consistently, but we also recognize
that there are differences and we’re going to talk about
some of those differences today. Next slide please. Frank. – [Frank] Thanks Kala. So in the various slides that you’ll see throughout the
course of this presentation you’ll see, kind of, we
do an introductory slide to each section which has a square for Part C, Part B, and FERPA. And in this case where
we’re gonna talk about personally identifiable
information, or PII, you can see all three have
some very similar languages, so that’s why you see the same picture in each of the three blocks. If we could move to the next slide please. So let’s talk about personally
identifiable information. We hear that term thrown out a lot in the context of privacy
and student privacy. It obviously contains
some of the more common, obvious themes, right? Name, mother’s maiden name,
address, date of birth, social security number,
some really common things that when we think of
personally identifiable, those probably come to mind right away. However, we also, under FERPA, have added some additional clauses, so if we could go to
the next slide please. In FERPA we added to two
different caveats back in 2008 as Kala talked about
we had some different, over the course of time
we’ve done some re-regulation and re-amendments, but in 2008 we added two different components
to our PII definition. The first is the first bullet, which basically it talks
about anything like in combination or length-oo-old-gether would allow anybody within the school, a reasonable person within
the school community, who doesn’t have personal
knowledge to identify the student. So we usually do, if I was
doing an in person presentation, I’d do a little story about
Peter Pan and Captain Hook, in which case I say if we
talk about a student who has a wooden leg, a patch for
an eye, not saying the name, but having this couple of identifiers, you can piece it together that we’re talking about Captain Hook. So that’s kind of what we get at with this first bullet under PII. It’s those things that
although individually they might not be PI, but
when you put that together, you can figure out the
identity of the student with reasonable certainty. The second caveat is information
requested by a person who the educational agency believes knows the identity of the student. I kind of like to call
this one the media request. So somebody from the media
is requesting information, but they really know
who the individual is, they’re just trying to get some background for a story they’re doing. So those two things are
a little unique to FERPA in that we’ve added them
in addition to kind of the more common things you
would think of under PII. And I think now I’m gonna
turn things over to Kala, and she’s gonna talk a little bit about how IDEA discusses personally
identifiable information. Kala. – [Kala] Next slide please. So the good news is the definition of personally
identifiable information or PII is really the same
across the three programs. Part IDEA Part C has some
translation provisions where the term child is
substituted for the term student, and where the term school abuse is early intervention service provider. With Part B, while the language
seems slightly different, the reasonable certainty language that the Captain Hook example if you will as Frank mentioned, is really
the same idea under Part B. So there really isn’t a
substantive difference, and for those of you who are in the early intervention world, you may recognize when they have programs that also have to comply with HIPAA, and as you know, unlike
our educational statutes which protect personally
identifiable information, HIPAA protects something called PHI or… Health information,
personal health information. So, we’re not gonna talk about PHI today, but I wanted to make
sure the folks understand that PII is what we’re
talking about today. Next slide please. So now we’re gonna
transition and talk about what records are covered, to
whom do these rules apply, and when do these
protections come into play? Next slide please. – [Frank] So as we look at
what records are covered, you’ll notice when we did
the first kind of snapshot of the smiley faces under PII, they were all similar because
all three of the statutes basically said a lot
of the same components. When we talk about what records are actually covered however, you can see we have three
different smiley faces because each of the three
statutes has some unique nuances. Starting and really building upon what we have as a foundation under FERPA. So if we can go to the next slide please. And I’ll start, I’m gonna talk about the FERPA side of things. Under FERPA, in terms
of education records, there’s really two basic
caveats that they have to meet, is are the records directly
related to a student, and are they maintained
by the educational agency or institution? So it’s a pretty broad definition, but it has those two, like
that two pronged caveat, and why that’s important is, as Kala said, FERPA was written in 1974, so that was pre-internet, pre-email, pre-online school record portals, etc. So it’s really almost
medium neutral in that if the record is directly
related to the student and maintained, under FERPA
that would be considered an education record. And I’m gonna turn things over to Kala who’s gonna talk a little bit about how that carries over into
IDEA Part B and Part C. Kala? – [Kala] Thanks Frank. So the same two standards apply in that the record has to directly
relate to a child or student, but the second part is a
little broader under IDEA. The IDEA language refers to records that are required to be
collected, maintained, or used, or sometimes we paraphrase it in regs to say records that are
collected, maintained, or used, suggesting that’s even broader, not just those that are required to be collected, maintained, or used. And this becomes complicated because we have now records that are maintained in cloud based systems,
and it’s not always clear whether the EIS provider
or an LEA or school is maintaining those records. Often our analysis is very case specific, but I wanted to pause on this slide because so many of the
questions we receive, you’ll wanna go back and
look at the regulations in this space both under
Part C, under Part B, if it’s a question for a
child with a disability, and under FERPA. Next slide please. – [Frank] So the next section
we’re gonna talk about now that we’ve discussed what’s personally identifiable information and what are education records, let’s talk about who has to comply with the various
confidentiality provisions of IDEA and Part B, as well as FERPA. As you can see on this slide, we have again three distinct faces, so that means we have pretty much three distinct aspects of who must comply. And we’re gonna start off with Kala. If you can go to the next slide please. – [Kala] So under IDEA it
is the participating agency, those under IDEA Part C, and under IDEA Part B, that must comply with the
confidentiality provisions. What does that mean? Who is the participating agency? It’s any individual, agency,
entity, or institution that collects, maintains, or uses PII to implement the requirements of IDEA. For Part C, there are two
additional provisions. It includes an individual or entity that provides Part C services of any kind. That can include service
coordination, evaluation, whether a child is
determined eligible or not, and finally there is an
exception to the definition of participating agency. And that’s the third bullet on this slide. The definition excludes… Entities who are observed
as primary referral sources, and a common question
we receive in this area is whether any programs, physicians, and others who refer a child, would be included in that umbrella of a participating agency, and
the answer generally is no, although there can be some exceptions. The second exception
are agencies or entities that act solely as funding
sources for Part C services and are not part of the state lead agency or early intervention service providers. For example, a Medicaid agency,
where the state lead agency is the SEA or the state educational agency or another state agency. I want to pause here
because a lot of the time are questions that come in about whether or not information can be shared with or without parent consent, often hinges, in Part C, on this definition, participating agency. Next slide please. And as I mentioned, the
definition of participating agency in the Part B is very basic, if the agency is responsible
for implementing Part B, it then must ensure that that information that’s maintained or used,
that PII is protected. Next slide please. – [Frank] So let’s talk
a little bit about… Let’s talk a little bit about who must comply with the FERPA provisions, and our big thing is we apply
to educational agencies or institutions. And as you can see by the definition, we have two caveats, any
public or private agency or institution that provides
educational services. So think of it simply as
any elementary school, secondary school, university that receives federal education dollars from the US department of education under the control of the secretary. We often get a lot of questions. Well what about a private
preschool or a private school? And typically a lot of
your private schools, your parochial Catholic high schools or different, of that sort, they would not have to
technically comply with FERPA because they’re not receiving US department of education funds, so we’ll get calls from parents that are having difficulties with some of their
child education records, but they go to a parochial school and there’s nothing that our
office can really do to assist. I know in some states,
from my interactions, they may have requirements
that a private school follows certain guidelines
similar to FERPA, but in terms of the
oversight of our office and the federal statute,
it’s only those schools that receive US department
of education funds. It gets a little trickier,
and not so much in this sense, but for the post secondary arena because almost all the
private universities do participate in federal student aid which is, you know, the
biggest funding stream from our department, so a university may be a private university, but they’re receiving, you
know, federal student aid so they would then have
to follow and comply with FERPA as well. – [Kala] And Frank, I
just wanted to mention, in there’s one limited
instance under the IDEA when a state lead agency or
a state educational agency has publicly placed a
child in a private entity, like a private school, then in that very limited instance, if those federal funds
are used for that say, the one child who’s placed
in a private setting, then the FERPA and IDEA provisions would carry with that child, not to the whole school, but to that child who’s
been publicly funded. – [Frank] Yes, thank you for that, yes. We have gotten questions of that and I think exactly as you said Kala, it would, especially like the FERPA side, would apply to the records
of that sole student. It wouldn’t mean the whole private school would have to comply with
FERPA, but just the records pertaining to that one individual student. Okay, next slide please. Okay, so we’ve talked about who the confidentiality
provisions under FERPA and IDEA apply to, but
now let’s talk about when they actually start applying, cause there are some
differences as you can see across Part B, Part C, and FERPA. We all have, there’s a little,
slightly different nuance as far as when these
confidentiality provisions do apply. Next slide please. – [Kala] So, there are a few differences. Part B and Part C of the IDEA are clear that once a child
is referred to the program, regardless of whether that child was determined eligible or not, the confidentiality provisions apply. That means that the same rights of access to information by a parent, the obligation to maintain confidentiality of personally identifiable
information is important. And Part C is a little
more recently promulgating in terms of regulations on this. So, there’s an additional provision about when that obligation ends. We added those provisions in
our final 2011 regulations in great part because we
had additional changes from the ed-dee program,
from the CAPTA program, where a number of children
were being referred to Part C, but not necessarily being
determined eligible. So Part B and Part C are similar that way. One additional difference for
Part C, although I would argue it’s probably the same
substantively for Part B, we just, we don’t have
specific regulatory language. And that’s the when does
that obligation end? And that’s the language
you see there on the reg until the later of when
the participating agency is no longer required to maintain, or no longer maintains that information. So that’s when, again, basically
as long as you have it, you have to keep it confidential. Next slide please. And you can see it’s the same for Part B. Next slide please. – [Frank] So let’s take a look at what FERPA has to say about when the confidentiality provisions apply, and here we’re a little different because under FERPA it’s when
the student is in attendance at the educational agency or institution. So that’s kind of
critical, and especially, again more so on the post secondary side, where a student is applying for admission and maybe never actually
attends that university. Those admission records would
not be covered under FERPA because the student was never
in attendance at that agency. So that’s a little difference in that we focus on a
student being in attendance. Now we often get questions of, well under FERPA, how long does a school have to maintain those education records? And FERPA is really silent on that aspect. We don’t have a specific time frame, kind of goes similar to
what Kala said under IDEA, basically those records, as long as the school maintains them, have to be maintained
consistent with FERPA. So there’s no prescribed
time frame on how long, but as long as they’re being maintained, they have to be maintained under the confidentiality
provisions according to FERPA. Next slide please. Okay, so we’ve talked about what’s PII? What are education records? Who has to maintain them in accord with the
confidentiality provisions? Let’s now take a look at whose
records are actually covered. Next slide please. – [Kala] So under IDEA Part C, the definition is fairly broad, it’s any individual under the age of six because states do have the option of serving children and
offering parents the option of providing services through age five. Next slide please. And under IDEA Part B, it includes all children with disabilities as well as records related to children who are referred to the
program as I mentioned earlier, and who aren’t determined eligible. Next slide please. – [Frank] And again looking at FERPA, pretty much what I said a few slides ago, it’s, the records are covered are those that are of a student. So it’s a student’s education records, and again any individual
who’s actually in attendance at that educational agency or institution. So we focus more on students. Next slide please. So over the next couple
slides we’re gonna move into, we’re gonna cover four
basic or primary areas. We’re gonna look at,
again, confidentiality, more so consent to release information. We’re gonna talk about
inspection and review, and amendment of records. We’re gonna talk again
a little bit more about the obligations to retaining records, and then we’re gonna finish up this kind of different section with a discussion of dispute resolution. So if we could go to the slide please. Let’s talk about basically what
is the definition of consent or consent to release
under the three statutes. And as you can see, we’re
gonna have some similarities between Part C and Part B,
and once we get to FERPA, just a little nuance. And I think Kala’s gonna start us off with talking about Part B and Part C. Next slide please. – [Kala] So the definition
under IDEA for consent is the same, and it is a
long standing definition. It is a definition that doesn’t just apply in the context of consent to disclose personally
identifiable information. The general rule in IDEA, as
well as under FERPA, is… Unless the statute expressly
authorizes disclosure, you need an exception to the general rule that you cannot disclose
personally identifiable information in a child’s record without attaining prior
written parental consent. And that’s common across
all three programs. The emphasis under IDEA on
the definition of consent is that it not just be written, it also be voluntary and informed. So if there are questions from a parent about what the meaning of
what they’re consenting to, and if the document itself is very unclear about what they’re consenting to, and this is the same definition that applies to consent for services as it would to be consent to disclose personally identifiable information, then an oral explanation
or other explanation should be provided in the document. We have had questions come
up in this area as well. For example, there are times
when primary referral programs want to try to get consent from families early on in the process,
when they refer a child to the Part C program. For example, the ed-dee program
may want to get information as they refer a child to Part C… About what happens with the child because they have tracking and other data that they have to report, and
also because they wanna ensure that that child does not
slip through the cracks. If they want to get that consent such that it would hold up under IDEA, they would have to ensure
that the explanation identified the kinds of
documents or information that could be shared back
with the ed-dee program. For example, the
termination of eligibility, or if a copy of the IFSP
for example would be shared. So it has to be somewhat detailed. That is broader than the
FERPA definition of consent. Next slide please. – [Frank] So let’s take a
look at consent under FERPA, and you’ll see we have
some definite similarities to what Kala talked about. It has to be signed, it has to be dated, and it has to be written. So there is no verbal consent to disclose under FERPA for example. We get questions a lot in terms of what do you mean by signed? And would an electronic signature work? And we have some specific provisions that it could be an
electronically signed consent. I think while FERPA itself
doesn’t specifically talk about the consent being voluntary and informed, I think that’s certainly kind
of the thought behind it, but one of the things
you’ll see differently is when you look at the regs under IDEA, they specifically state voluntary. You’re not gonna see
that same and informed, you’re not gonna see that same language under the FERPA side of things. Next slide. So we just talked about, again, getting what needs to be in those consents and typically before any
information can be shared you have to have the prior
written consent of the parent unless there is an exception. So, over these next couple slides, we’re gonna talk about some
of the different exceptions to prior written consent. And as you can see, we
have some differences across the three statutes. Kala, do you wanna talk, start us off by talking a little bit about the exceptions to
consent under Part C? – [Kala] Sure, thanks Frank. So this slide is probably out of order because the general exceptions
that you would think of are primarily under FERPA and Frank is gonna talk
about those as well, but there are some that are unique to IDEA Part C and Part B. Two of the definitions or exceptions that are unique to Part C
include what I mentioned earlier, the definition of a participating agency. Often… An individual or an entity will be part of what I call the Part C umbrella within the state. Part of that statewide system of delivering early intervention services, whether that’s a professional
on the evaluation team, the service coordinator, an early intervention service provider, an individual who may be working both with a payer of Part C services, but also is involved in the delivery of perhaps family services. So while it’s not a true exception, many many times we have
inquiries from states and as we probe further into how Part C is implemented
in an individual state, we’ll discover that the
definition of participating agency may be broad enough in that state to allow for what I call the
non-consensual disclosure. So basically that there isn’t a need to get prior written parental consent. That’s the first bullet. The second bullet is what we call the transition notification or opt out. When a child exits from
the Part C program, typically at age three, they may be referred on to
the Part B preschool program and in three quarters of our states those two programs are administered by two different state agencies, where the state lead agency isn’t the state educational agency. Our regulations permit
the state lead agency, or an agency under it, to provide basic Child Find information to the parent by the state educational
agency or the school district that would pick up that child at age three and conduct an evaluation. Under Part B, unless the
state has adopted in writing a written opt out policy
that informs parents that they have the right to opt out of that basic Child Find referral. Which some parents do elect to do, they just don’t want to start the school district
relationship for their child with kind of the history
coming over from Part C, or even the fact that they
had been served under Part C. So, you’ll have to know whether your state has an opt out policy, but if it doesn’t, then that notification can occur, and that’s an exception to
the disclosure generally, the disclosure occur only after private and parental consent. Next slide please. And these are the translation provisions to apply the FERPA exceptions
to the Part C program. Next slide please. In addition, under IDEA Part B, there are specific exceptions
because children at some point become no longer treated legally
as children in their state when they reach the age of majority. So in most states that would
be around the age of 18 and at that point the
child also has rights to receive information
in addition to the parent under IDEA Part B. And a note on the first bullet, officials of participating agencies also have the ability
to receive information, disclose and share PII without prior written parental consent. Both IDEA Part B and
Part C also incorporate the FERPA exceptions, and
Frank’s gonna talk about four of those. Next slide please. – [Frank] Thanks Kala. Under FERPA we have
about 14 or so exceptions to prior written consent
of varying degrees, and I think for sake of the
time of our session today, we don’t have a chance
to cover all of them, so as Kala said I’m gonna go over four of probably the more
pertinent to this audience. You’ll see one of the
handouts that we have added is a crosswalk between FERPA
and IDEA’s Part B and C. That’s gonna have a listing
of all the exceptions, so I’d encourage you at a later time to take a look at those. But let’s talk about four in particular. Audit and evaluation, the
Uninterrupted Scholars Act, compliance with judicial
orders and subpoenas, and health and safety. Next slide please. Audit and evaluation is typically how most state educational authorities gain data that they need
to do for data reporting, compliance with federal
legal requirements, and really you can go in
and audit an evaluation of that federal state supported program, and so accordingly, FERPA has an exception that allows schools to
disclose information to its federal state and local officials. We also have a thing called
the authorize representative of those officials to
do an audit evaluation or enforcement of, in compliance with federal
legal requirements. And there’s some caveats to that as far as the information can only be used for the audit and evaluation, it should be destroyed
after it’s no longer needed. So there are several
cuh-vit-al aspects of that, but in general the audit
and evaluation exception is really how SEAs can either
get the information directly to do their data reporting,
or have an entity do an audit and evaluation
on their behalf. That’s the audit and evaluation exception. Let’s go to the next slide please. – [Kala] And actually Frank
I just wanted to mention the audit and evaluation
exception has been used in some of the state longitudinal and early childhood data systems. This is fairly complex if your state is just in the process of reviewing how it might be able to
share data in this context and we strongly urge you to
communicate with the department and we’ll have some resources
identified at the end. Thanks Frank. – [Frank] Yes. Thanks Kala. So let’s take a look at the
Uninterrupted Scholars Act, and this is our most recent
exception to consent. It was implemented in 2013, and what had happened back in about 2006, we had a fostering care
connections act which was, this was something really talked about bringing together the educational system and the foster care community
to make sure those children that were placed outside
the home in foster care, that their education
wasn’t unduly interrupted because of the fact that
they were put into placement. So the Fostering Care Connections
Act was a great thing. The only problem was it didn’t address the actual disclosure of education records between children and youth
agencies and the schools, which would be prohibited by FERPA. So in 2013, president Obama signed the Uninterrupted Scholars Act, and that does a couple things, it permits the disclosure of PII, which we talked about earlier
from education records, from children in foster care. So basically the school
can disclose information to the child welfare agency of a child that is placed in foster care. And it kind of hinges on the aspect and dealing with our various local, state, state and local children
and youth agencies. It hinges on who has
access to the case plan, and it’s really again, specific to those children in foster care, placed outside the home. I know a lot states, as a
former case worker myself, we have children that are
under protective services, where the children and youth agency may keep a presence in the home, but the child is still in the home. The Uninterrupted Scholars
Act would not come into play in that situation. Same with the juvenile justice system. We have a separate exception
that kind of talks about some of that, but we’ve had
cases where juvenile justices have tried to use the
Uninterrupted Scholars Act and it doesn’t work. It’s strictly for those children that are placed in foster care. Next slide please. – [Kala] And in the IDEA context, the Uninterrupted Scholars
Act may come into play when you don’t have a clear parent and you may need to
appoint a third parent. There’s a consultation requirement in the IDEA Part C regulation,
and this is the exception that would enable that case worker from the child welfare
agency to speak with you. – [Frank] Thanks Kala. It’s a good point to add. So let’s take a look at
compliance with judicial orders and subpoenas. And this just kind of makes sense, so a lot of times either, maybe a case where a student is involved in some legal proceedings,
could be a lawsuit, but once the school is
presented with a judicial order or lawfully issued subpoena,
they have to act on it. And under FERPA, we say they
can make that disclosure consistent with the
judicial order subpoena without parental consent. There is a stipulation in that the school must still make a reasonable attempt to at least notify the
parent or eligible student that the order subpoena’s received. There are a couple exceptions to that, if there would be a grand jury subpoena, or there’s a couple different caveats that if it’s a certain type of subpoena that the school wouldn’t have
to make a reasonable attempt, but in general, school gets
a subpoena or judicial order, they make a reasonable
attempt to notify the parent, and then they act on that
judicial order subpoena. Anything you needed, or
wanted to add to that Kala, in the IDEA context? – [Kala] No, thank you. – [Frank] Okay. So let’s go to the next slide and we’ll talk about the last exception to consent that I’ll be discussing. I think this is probably
one of our more important if I were to rank order
or exceptions to consent, and that’s the health
and safety emergencies exception to consent. Really came to the forefront back in 96 with the terrible occurrence
that happened at Virginia Tech and that shooting, and since
then we’ve had, you know, numerous other situations
unfortunately where, you know, we’ve had active shooters
in school facilities. The health and safety emergency
is really an exception to try to mitigate all those situations. Now, we can’t mitigate them all, but we don’t want FERPA to be a barrier to getting information to the right people to help avoid such a
crisis or a catastrophe. So what the health and
safety emergency allows is it allows for the disclosure of really any information from a
student’s education record that is necessary to protect
the health and safety of other students. It really hinges on the fact that there has to be an articulable
and significant threat. So we’ve had situations
where certain schools or police departments, for
example, would want a listing of every student on every
bus route in the district just in case there was a bus crash. Now that may very well be a good idea, but under FERPA that
wouldn’t be permissible, and especially under the
health and safety emergency because it wouldn’t be an articulable and significant threat. In that situation it’s almost
meant to be more proactive which this exception doesn’t really cover. Under that health and safety emergency, who can be informed or provided
information without consent? We say appropriate parties, and that can mean state,
local, federal law enforcement, trained medical personnel. If it’s a college aged student it could be disclosures to the parents. But it’s really, the imminence is, the school can make a disclosure as needed to prevent the catastrophe from happening. Again, the last bullet
there we talk about it being an actual impending
and imminent emergency, and then there are some
recordation requirements that if a school does make a disclosure, they have to make a notation of that in the student’s education record. But that’s kind of, again, four of our more prominent
exceptions to consent. Anything you needed, or
wanted to add to that Kala before I turn over the next slides to you? – [Kala] Uh, yeah. So overall, these
exceptions are permissive and not mandatory. Do you wanna just clarify
what that means Frank? – [Frank] Yes. Thank you. So we get a lot of questions from parents who, you know, under some
of our different exceptions, feel that the exception compels a school to make that disclosure, and as Kala said, all of our exceptions to consent
are permissive in nature. So, it’s just a way that
FERPA has a mechanism where that disclosure could be
made without parental consent or the consent of a student
if it’s college age, but there’s nothing under FERPA that compels that disclosure. That even covers to the extent of, where we talked about
prior written consent. Even with prior written consent, that doesn’t require a
school to disclose any PII. It’s just, it’s a mechanism
that would allow for it, but there’s nothing that
compels those disclosures under FERPA. – [Kala] And that’s the same under IDEA. So both of these, all of these
exceptions we talked about are generally permissive, not mandatory. And one exception of course is under the transition
notification of the Part C, that is a mandatory notification unless the state has an opt out policy. – [Frank] Thanks Kala, so now I think if we can do the next slide, and Kala’s gonna talk about rights regarding access to records. – [Kala] Thanks Frank. So, under IDEA and FERPA, one of the basic confidentiality rights is the right of the
parent to access records and to make copies. Next slide. So under IDEA Part C, the participating agency
must allow parents to inspect and review
early intervention records that are collected, maintained,
or used by the agency without unnecessary delay,
and before any meeting, such as an IFSP meeting, or in the case of a due process hearing, if one has been requested, to ensure that the records
are provided access to, not later than ten days after
the request has been made. Next slide please. In addition, a parent has rights to copies of the early intervention records. They must receive at no cost,
a copy of the evaluation, the child and family assessment, and the IFSP as soon as possible after each IFSP meeting, and for any records beyond that, including an initial copy of
the early intervention record which also must be available at no cost, that’s the last bullet, after that they may
charge a reasonable fee for copies of records
that are made for parents if that fee doesn’t
effectively prevent the parents from implementing their rights to inspect and review records. They may not, under IDEA Part
C, Part B, or under FERPA, charge a fee to search for
or retrieve that information. Next slide please. Similarly under Part B,
there are the same inspection and review rights of education records before an IEP meeting, and if there is a due process hearing, that request is met within
45 days of the request. Next slide. So Part B, there is the
ability to charge for copies as long as again that, if imposing the fee would effectively prevent a parent from exercising their rights, and again they may not charge a fee for searching or retrieving records, and that’s a fee that you
often see more commonly in the fih-lay-uh context. Next slide please. – [Frank] Let’s talk a
little bit about FERPA and can records be reviewed? So under FERPA, a parent
or an eligible student has the right to inspect and
review their education records within 45 days of receiving a request. You will notice absent from our discussion of
inspection and review is the term copies. So while IDEA has some specific provisions that a parent is entitled to
copies of certain documents, under FERPA not so much. So we get a lot of questions where a parent will make a request to have a complete copy of
their child’s education records, and under FERPA there’s no provision that the school must provide those copies. Now we do have, kind of
one stipulation on that, if the parent lives outside,
and we typically say normal commuting distance,
so if a, you know, they’ve moved and they now
want access to records, that may be a situation where a school would provide copies to a parent, but typically under FERPA
they’re not required to. We’re seeing a lot of that now with the online school portals. Instead of providing a
parent who’s long distance from the school, actually copies, they will go in and give them access so they can view them electronically. So, under FERPA, right to inspect
and review within 45 days, again those education
records that are maintained and directly related to a student. But generally do not
have to provide copies unless there’s some
extenuating circumstances. If you look at the next slide please. And we have some of the same provisions as Kala discussed under IDEA. They may charge a copy
if they do give fees, they may charge a copy for those fees, unless it’s some extraordinary amount and that that would then in fact impose a, or inhibit the parent’s
ability to access his records cause if he is too imposing. And also they can’t charge a fee to search or retrieve these records. We have a very interesting
letter on our website from a parent who requested
access to information that was maintained in the SEA’s database, and there was, initially the response was
that they would have to pay to have a coder come
and write special code and the amount was like $10,000 to get access to the records. So we interceded in that case, but not generally required
to get copies under FERPA, and if they do give copies
they can charge a fee for retrieval, but they
could charge fees for copies much like you see in the IDEA context. Next slide. So this–
– So. – [Frank] Oops. I’m sorry, go ahead Kala. – [Kala] What if the
records don’t seem correct? All three programs and
regulations include provisions that are the same and have similar process
protections in place for parents. Next slide please. So both under IDEA Parts C and B, a parent who believes that the information in their child’s record
is inaccurate, misleading, or violates the privacy or
other rights of the child, can request that that record be amended. The agency must decide whether
to amend the information within a reasonable period of time, and if the agency refuses
to amend the information, it must inform the parent of that refusal and advise the parent that
they have a right to a hearing. If after the hearing,
the decision is reached to not amend the record,
the parent still has a right to insert a statement
in the child’s record. I want to pause just to
note that this is a right to correct inaccurate records, not to amend a substantive decision. For example, in the FERPA context, this isn’t to change the letter
grade on the report card, in the IDEA context, it’s not
to change the determination of IDEA eligibility that’s been reached, or goals on the IEP or IFSP. It’s really if there’s something
believed to be inaccurate. Next slide please. And similarly with FERPA,
it’s the same rights. Sorry, go ahead Frank. – [Frank] I was just gonna add I think you pretty much covered that in the other two slides. So let’s move on to the next slide. And let’s take a look at record of access. This is one where it’s
pretty much consistent between IDEA Part C and B, and
FERPA has a little different, but the general gist of
this is if we have somebody who is accessing the record,
and this would be somebody who’s authorized or makes a request, under the next slide please. You can see IDEA Parts
C and B, it would be, the key is this, it would be
somebody other than the parents or the authorized representative. So, if it’s an outside person coming in doing an audit for example,
it’s basically capturing who’s accessing the records,
and what did they access. If we go to the next slide. And FERPA has some similar things, this is where, we have some caveats where if it’s certain exceptions, where they’re getting
it through an exception, like if it’s school officials for example, you wouldn’t see a record of access because they’re accessing
those records all the time, but some of our exceptions, we talk about where they have to
document who has access, and that’s kind of pretty
standard records of access logs. And we want to make sure we
leave time for questions, so let’s move quickly through
the last couple slides and Kala’s gonna talk about the next slide which is how long do the
records need to be kept. – [Kala] Thanks Frank. Next slide please. So both IDEA Part B and Part C requires the participating
agency to inform parents when the PII that’s collected
or maintained or used, is no longer needed to provide services, and that may be some period
of time under most states, with their statute of limitations, it’s typically between five
and a half to six years given the grant cycle and
given other requirements, GEPA, statute of limits, after that child is no
longer being served, and at that point, once
it’s no longer needed, then the information in the record must be destroyed if the
parent requests that. However, a permanent record can be kept of the child’s name, date of birth, and some other specific
information that’s on that slide. Next slide please. Similarly, there aren’t similar provisions
actually under FERPA, the only provision regarding
maintaining records is really that they not be destroyed as long as there’s an outstanding request to inspect and review the records. So the IDEA is much more
protective in this regard. Next slide please. – [Frank] So what if we can’t agree? So let’s say, you know,
a parent or student is looking at the records and there’s just some disagreements
in the content thereof or they have concern that
the school has done things that isn’t consistent with IDEA or FERPA. So as we can see under IDEA
we have some similarities, FERPA just a slight difference. So let’s go to the next slide and I’ll talk about those differences. So where there’s disagreements under IDEA, you have dispute resolution processes and procedural safeguards. So, you have a couple options, you can file a state
complaint, there’s mediation, there’s due process hearing,
there’s IEP facilitation, various safeguards that
are kind of delineated at the state level and a
parent who had concerns or felt their things weren’t,
they didn’t agree with, could follow those processes. You’ll see that there
isn’t an oh-sep level complaint process because
it’s really generated at the state level. On the flip side, let’s
take a look at FERPA. Now there is one typo on our slide, it’s a reference hurl named FPCO, but now a parent has the
right to file a complaint with our office, the Student
Privacy Policy Office, and we have different
procedures how we would actually investigate these alleged
violations of FERPA at our federal level. We strongly encourage
parents to also address them at a local and state level
because a lot of times the state and local programs can actually do a more timely and also have a more case specific processing of the complaint, but where they’ve exhausted those avenues, they can file a complaint with our office and then we will take a look at it. Anything you wanted to add Kala? Or can we move on to the next slide? – [Kala] Yeah, we can move on. Thanks. So what is… To review important things to think about as you look at your own state, what are the document retention policies? Does it identify what kind
of records should be kept and how long those records are kept? Who has access to that information? And what resources are
available within your state? We certainly have resources
we’ll mention at the end including some websites
with training materials if you are looking to
educate parents or others about these privacy protections. Next slide please. And then where do we go from here? As you can see, we have a
common goal under IDEA and FERPA to protect personally
identifiable information, to ensure parents have rights of access as well as copies of records
in certain instances, but generally speaking
if you have a question when you’re reading the two statutes and regulations together,
and the question involves a child with a disability, under IDEA, start with IDEA first. It will cross reference the
applicable FERPA positions. That’s the most important
thing to know for this slide. Next slide please. And this is the contact information for the Office of Special
Education Programs that is responsible within
the US Department of Education for implementing the IDEA
program, Parts B and Part C. At the bottom are website links including the links to the
state contacts for your state if you have questions about
what provisions are in place within your state under IDEA. In addition is the general phone number, but I would recommend you
start with the websites. In addition, our student privacy office has some great resources available and we work closely with their office to ensure that questions regarding children with
disabilities under IDEA are answered consistently with FERPA. So Frank’s gonna talk about
some of those resources. Next slide please. – [Frank] So thanks Kala. Two, I think the things I
really want to point out on this slide are at the bottom, and that should really be
https://studentprivacy.ed.gov. So if you go into your google search and type in studentprivacy.edu.gov
it’ll give you a link that’ll take you there,
but we’ve really worked to hone this website over
the last several years and we’ve made it user friendly. It’s broken up by audience
so if you’re a parent, if you’re a school official,
we have different tabs that kind of have information
clustered by the audience. We have several little training videos, training curriculums. There’s a couple, several
neat little videos. One’s like a three to five
minute overview of FERPA. We have one for school volunteers, you know, use of email
for sharing of information under FERPA. So there’s several little videos that if you don’t feel like
reading 20 pages of legalese, you can watch a cute, funny
three to five minute video that’ll kind of give you the overview of several of our bigger
or more prevalent topics. The other thing I like to point out is our [email protected]
website, er, email address. We have a privacy
technical assistant center, several of you may have
interacted with them in the past, but we staff that, that help desk, and that’s a
good way if you have questions throughout the year
and you wanna make sure that your understanding’s on point, or you wanna just make sure
you’re not doing anything you don’t wanna do, or
you’re concerned that it may not be consistent with FERPA. That’s a place where you can send an email to the [email protected] email address and we’ll get a response back to you. We usually try to do it within, you know, five to seven days, depending on the complexity
it may be a little longer or it may be even a shorter turnaround. So a good chance for
you to send us questions and we can give you
some informal responses. There’s also if you go to
the student privacy website, there’s a contact us link
that you can click on that and that’ll give you another mechanism to submit informal questions, but just a wealth of
information on that website and then we have some
technical assistance resources as well. Next slide please. – [Kala] So we’d like to go
ahead and open up to questions. Carmen? – [Carmen] Um, yes! I sent you some questions that we’ve received from the audience and you should see them
in your chat boxes, if you would like to address them. One of them that’s probably
fairly easy to answer is the 45 day timeline. Is that 45 business days
or 45 calendar days? – [Frank] I can talk about
that one if you’d like Kala. I mean, I think in the absence
of where it’s specified it’s always assumed to be calendar days. Now I say– – [Kala] Specifically,
calendar days under IDEA. – [Frank] Yeah. I say that because I am
aware in my travels that, so if you think of FERPA
kind of establishing 45 days, there could be a more stringent state law. I know if you’re in California
and a parent makes a request, they have to provide
access within 10 days. So there could be, you know,
state laws that are more, again, stringent in that
they shorten the timeline. – [Carmen] Okay. But conversely states are not allowed to lengthen the timeline. – [Kala] That’s correct. – [Carmen] Right, okay. And like I said– – [Kala] Another question? – [Carmen] Um… There is also a question about a fee for redacting information. Can states charge a fee for redactions? – [Kala] So it’s my understanding under both IDEA and FERPA, there’s no fee for retrieving records. It doesn’t specifically
address redactions, and that is something
that may need to be done if the records relate
to multiple students. I don’t know that we’ve spoken
to that issue under IDEA. Do you know if you have under FERPA? – [Frank] No, but that
brings up a good question because a lot of times
there’ll be some confusion between what’s a request
for access under FERPA versus what’s a request for access under like the state
freedom of information or right to know laws. Usually where we see, you know if a parent’s
requesting information about their child, a lot of
times there’s nothing in there that needs to be redacted because they would only have access rights to that information
specific to their child. But if they’re making a whole sale request for different things, that’s
where I’ll usually see the redaction come into play. So, I guess it’s a kind of dovetail. I’m not, I don’t believe we
have a pine on the redaction, but we typically under FERPA, we don’t see redaction necessary if it’s the education
records of their own child. – [Carmen] I think that’s the same. – [Kala] So Carmen I
thought you had a question about the IEP document. – [Carmen] Mm hmm. – [Kala] And I think the
question was sometimes schools don’t wanna email the IEP. – [Carmen] Right. – [Kala] And that’s understandable because the IEP’s gonna contain personally identifiable information. And the school may want to ensure that it has appropriate
security standards in place, and so if they don’t have a
way to encrypt that record or ensure the security of that document, they may ask that that
information be provided manually. Some states have gone to
cloud based IEP forms, where there’s an auto generated email, but not all states are there yet in terms of the technology and resources. And that is up to the state. – [Frank] And I talked
about some of the videos on the student privacy website. There actually is, and again I think it’s maybe
like a five minute video that kind of walks you
through sending information or the use of emails as the
means to disclose information under FERPA. So that kind of walks through, but Kala said some of the safeguards, you know, dual authentication,
different things to make sure that the email address you’re using, it’s going to who you intend to. – [Carmen] Okay. There’s another question having to do with whether or not videos of students are considered records of a child. – [Kala] So that’s a pretty complex issue, and I’m not sure that we could get into it given the time that we have left. Um… I think we would be happy
to talk to that person individually or follow up in that context. Are there other questions
that might be shorter? – [Carmen] Um. – [Frank] Just one caveat to that Kala, and you’re right the question of videos are very case specific and we
don’t have time to go through, but on our student privacy website we have an FAQ document
specifically targeting videos and photographs that may be helpful to that individual. – [Carmen] Great! – [Kala] Great. – [Carmen] Another one that
might be short to answer is so do colleges not have
to protect information after the student leaves the school? – [Frank] Let me clarify
cause I wanna make sure what I said earlier didn’t
come across unclear. So, under FERPA we’re
talking about a student that is in attendance. So that’s kind of the
records that are created while that student is in attendance are education records and
I tried to explain it, as long as the school’s
maintaining those records, they must be maintained
consistent with FERPA. So a student graduates, the
records that were created during their time in school, as long as the school maintains them, they still have to be maintained
consistent with FERPA. So the student graduates, the school maintains those records, they’re still covered under FERPA. – [Carmen] And if for
some reason those records are no longer maintained
at all by the school, then… Well, FERPA doesn’t apply because there’s no record anymore you’re sort of saying, yeah. – [Frank] Right, so a lot
of times I mean some schools will destroy most of the
information when the kid graduates and then keep some very basic information, which that basic information would have to be kept
consistent with FERPA. – [Carmen] Okay. All right, you see if
there’s something else that we can um… – [Kala] I saw that there
was a question from a, about if the IEP team
considers the specific category and the family wanted that
omitted from the documentation. I guess that’s in the
context of amending records and a request to amend a record, and so I guess the question being asked is is that a substantive
decision or is that something that’s inaccurate or misleading? And of course this is a gray area because from the parent’s perspective it may be perceived as being
inaccurate or misleading, but typically in the eligibility
determination process which under Part B is done through a team, under Part C that’s the
qualified professionals who make that determination. If the team considers
specific information, that’s part of the IEP process, and some level of documentation
is typically required for the different categories
that are considered. To request that that record be amended to omit that information, which I believe is what the question was, would be somewhat unusual because
it was part of the process of determining eligibility
to look at the different applicable potential
definitions of a disability, for which that child might be eligible. However, if as a result of that the parent really felt strongly that a statement needed to accompany that, they could request an
amendment of the record, it might be refused,
and if after a hearing that decision stood, the
record would not be amended. There was a follow up question with regard to that in the chat, what happens if a state were to, you know con-sa-cra-men-toe
health or other treatment, can the parent include
a specific statement? And the parent can put in a request that is part of the
education records disclosed, that put in, sort of in essence,
their side of the story. This is not, you know, a long na-uhl, but an explanation perhaps
of the reason why for example that category of
eligibility was considered and why it was not really
an appropriate category. So, that is part of the statement
that could be requested. I believe those are the
only questions I saw online. Are there any additional questions? – [Carmen] There is one, and I don’t know whether or not this is a simple one, but it says if an agency sign in sheet prevents spaces for multiple
families to sign in, and that form also
collects the child’s name, disability, category, and date of birth, would that be a FERPA violation? – [Frank] We’ve–
– So, it’s a comp… – [Carmen] That question is
probably too complex for this. – [Kala] Yeah. – [Woman] No, I think
Frank was gonna go ahead. Frank do you have something quick? – [Frank] Yeah, I mean what we’ve said, we’ve had situations like that and again if its a sign in
sheet and other people can see another student’s name,
that could be potentially, and I always have to emphasize
potentially a violation because of all the case
specific nuances I’m not seeing. You know, I couldn’t give a definitive, but I mean we would have
concerns with that practice and in the past we’ve talked
to schools about not, you know, sign in sheets should be, you know, only be able to see
one line at a time, so, I couldn’t give a definitive, but I think there would
be some concerns there and certainly there’s best practices that would be better than
having one long sign in sheet where everybody’s name is visible. – [Carmen] Right, and that
might be a good question for that person to forward
onto that email you had about privacy– – [Frank] Definitely. Yep. – [Carmen] Yeah. Okay. And then there’s another question which I can probably answer which is what is the
intersection of HIPAA and FERPA, and the answer is probably that is a much more complicated
question for this webinar. – [Kala] No, but I think, I’m happy to just give
you a quick overview. This is not gonna be an answer. But HIPAA requires that covered entities, so that’s the who has to comply, protect PHI, protected health information, and that definition of
protected health information or PHI, includes an exception for those, for sort of the information and records that are protected under FERPA. So ordinarily, in most
instances but not all, if the records are covered under FERPA, which are true for most our
K12 schools for example, then it’s an exception and the HIPAA rules generally don’t apply. HIPAA has more than just one set of rules. It has a privacy rule, a security rule, FERPA, it’s just a privacy rule, we don’t have a security rule. IDEA doesn’t have a security rule. However, we know, particularly in IDEA for a lot of our Part C programs that are placed in the
Department of Health for example, some of those programs have
to comply with both HIPAA and the IDEA Part C
confidentiality requirements, and that gets fairly complicated, and I have worked with many programs as the office of special
education program, with the office of civil rights that implements the, over at the HHS that implements the HIPAA
rule, the privacy rule. So if there are questions
we’d be glad to follow up. Reach out to your state contacts and we can certainly work with you. While it’s complex, most of us are familiar
with the HIPAA privacy rule. If you’ve been to a doctor
your quite familiar with kind of how that works. And so it’s just an
overlay, but in general when you have to comply
with both sets of rules, you have to comply with
the more protective of the two sets of
rules, and that of course raises more questions, but
that’s the general answer in terms of a two minute overview. – [Carmen] Great, thank you. So, we’re at 4:14, I want to, I’m gonna turn it over pretty soon to um, um, Miriam, who’s gonna close us out, but I want to very much
thank Frank and Kala for this extremely
thorough look at both FERPA and IDEA issues around privacy. And of course you have
their contact information, and also you have information
for how to get in contact with the FERPA privacy
TA center, so remember that you can download the
pdf of this presentation from the control panel on the right. And then be able to be in
contact with follow up questions. So thank you so much for
everybody’s participation, now let me turn it over to Miriam. – [Miriam] Yeah, thank you Carmen. Yes, the webinar is recorded and we will soon place the
slides and the recording here on the
parentcenterhub.org/osep-webinar, but you will find it over there, and you will also get a recording, the link, I will send it to you, so don’t worry about it because
you are listening to this, or if you registered for this
webinar, you will get it. And um, let me see there’s one more slide. Thank you, and you will
get a link to a survey as soon as this webinar is over. So please make sure that your response to the survey is short, and thank you again to
Frank Miller and Kala Shah for your presentation. It’s very valuable, and hope you can join us next time. – [Kala] Thank you Miriam. – [Carmen] Bye. – [Kala] Take care, buh bye. – [Frank] Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *