In an update of key federal privacy rules, the U.S. Education Department is trying to tell colleges what they can release about students, not just what they can't release.

The rules -- published in today's Federal Register -- update the Family Educational Rights and Privacy Act, which generally bars the release of educational records by colleges without students' permission.

But the law, known as FERPA, has taken on a life of its own. According to many experts, FERPA is cited regularly by colleges to avoid releasing information that's not even covered by it. In the wake of the Virginia Tech killings, there has been renewed interest in clarifying what colleges and schools may release -- and in many instances the new regulations appear to be reassuring colleges that FERPA only goes so far, and that they do have discretion to release certain kinds of records.

For example, the new regulations state explicitly that in the case of a health or safety emergency, a college can disclose information about students without their permission. While the rules require some justification for such release, they make clear that the protections on student privacy are not absolute.

Rather, the final rules say, the idea is to find "the right balance between student privacy and campus safety." The rules specifically affirm the value of notification, noting with appreciation some responses to earlier drafts that thanked the department for seeing that notifying parents and others of certain situations may help protect the safety and health of all involved.

Of course to the extent that colleges have leeway to disclose information in health and safety emergencies, that begs the question of who decides what's an emergency. Here too the new rules generally give colleges and schools more explicit authority to make that determination, provided that some "rational basis" exists for doing so.

Some privacy advocates have worried that the department's draft guidance on this issue gave too much power to colleges and schools, potentially eroding student privacy rights. But the department's rules stand by its desire to give colleges that authority.

"[T]he department will not substitute its judgment for that of the agency or institution if, based on the information available at the time of the determination there is a rational basis for the agency's or institution's determination that a health or safety emergency exists and the disclosure was made to appropriate parties," the rules state.

At the same time, the rules do state that educational entities will be required to "record" the "articulable and significant threat" to health and safety that they believed justified waiving normal FERPA protections, and that the leeway being granted is not "blanket." Such a record would need to be maintained as long as the school or college maintained the student's educational records. But while insisting on a record, the department states that educators need the "flexibility to act quickly and decisively when emergencies arise."

Much of the language in the new rules seems designed to reassure colleges about longstanding procedures rather than to make new ones.

For example, here is the language on disciplinary records: "[N]othing in FERPA prevents an educational agency or institution from including in a student's records and disclosing to teachers and school officials, including those in other schools, appropriate information about disciplinary actions taken against a student for conduct that posed a significant risk to the safety or well-being of that student, other students, or other members of the school community."

And the department states that this applies to any educational institution and does not limit the transfer to institutions attended consecutively. An example the rules cite is that it would be legal for a high school to send such records to a graduate school.

Social Security Numbers and Other Numbers

Much of the interest in FERPA focuses on campus safety, but the law also sets off debates over whether Social Security numbers can be used, and in what contexts. Many colleges in recent years have been moving away from using Social Security numbers as campus identification numbers -- although others have not. The final regulations released today do not require colleges to stop using Social Security numbers for educational record keeping, provided access is strictly limited.

Other identification numbers, generated by colleges, may be included as "directory information" (which generally can be released) provided that those numbers alone cannot be used to breach students' personal security. So if those numbers require a password, their inclusion in directories isn't problematic, the rules say.

In addition, while it was once common for professors to post students' grades with Social Security or campus ID numbers, the rules note with approval that this is not standard today. However, for professors who want to post grades, the rules say that the use of unique numbers known only to student and instructor are an acceptable way to protect student privacy and avoid identify theft.