Must the LEA ensure that a community-based organization designated as its authorized representative complies with FERPA?
Yes. Before the LEA discloses personally identifiable information (PII) from education records to a community-based organization designated as an authorized representative, the LEA is required to use “reasonable methods” to ensure to the greatest extent practicable that the community-based organization is FERPA-compliant. This specifically means ensuring that the community-based organization:
- Uses PII from education records only to carry out an audit or evaluation of federal- or state-supported education programs, or for the enforcement of or compliance with, federal legal requirements related to these programs. The LEA should make sure that the proposed audit or evaluation is legitimate, and require in the written agreement that the community-based organization use the PII from education records only for that audit, evaluation, or enforcement or compliance activity.
- Protects the PII from education records from further disclosures or other uses, except as authorized by the LEA in accordance with FERPA. The agreement must specify that the community-based organization may not further disclose the PII from education records, unless authorized.
- Destroys the PII from education records when no longer needed for the audit, evaluation, or enforcement or compliance activity. The agreement must specify that the community-based organization is required to destroy the PII from education records when it is no longer needed and specify the time period in which the PII must be destroyed. See 34 CFR § 99.35(a)(2).
K-12 School Officials
Community Based Organizations
Exceptions - Audit/Evaluation