The U.S. Department of Education issued new guidance on December 20 addressing the efficiency and enforcement of the Family Educational Rights and Privacy Act (FERPA).
The guidance follows the November release of an audit report undertaken by the Office of the Inspector General addressing the Office of the Chief Privacy Officer’s handling of complaints brought under FERPA. The audit determined the Privacy Office did not have proper controls to ensure it timely and effectively processed FERPA complaints, and included corrective action recommendations:
- The Privacy Office should allocate appropriate resources to eliminate the current unresolved complaint backlog so that it can resolve complaints in a timely manner going forward. The Privacy Office should also work to resolve FERPA policy issues that affect its ability to resolve certain complaints.
- To eliminate control weaknesses, the Privacy Office should ensure its policies and procedures are appropriate and comprehensive to effectively guide staff that resolve complaints as well as managers that oversee their work. The Privacy Office should also implement an effective complaint tracking process to ensure it can maintain reliable and complete information on the status and outcome of all complaints received. In addition, the Privacy Office should develop meaningful performance standards for the complaint resolution function and for staff that resolve complaints. The Privacy Office should also avoid putting complaints that warrant an investigation into an “inactive” status. Finally, the Privacy Office should ensure it communicates timely and effectively with complainants and develop a process for evaluating the risk of incoming complaints to ensure that high-risk or high-impact complaints are assigned the highest priority.
A month after the audit, the Department of Education has issued new guidance:
The Department will continue to conduct full, formal investigations where necessary and appropriate to enforce rights and resolve violations under the statute and regulations. In making these determinations, we will adopt the Office of Inspector General’s recommendation to prioritize the highest risk complaints for formal investigation based on “the severity of risk to student privacy, the number of students affected, [and] other relevant factors.”
The department has added a four-page summary of the anticipated changes on its website. If you have any questions on the guidance and how it affects your school, please contact any member of the Barley Snyder Education Practice Group.