Office of the Attorney General — State of Texas John Cornyn The Honorable Jane Nelson Chair, Committee on Nominations Texas State Senate P.O. Box 12068 Austin, Texas 78711

Re: Whether the Texas Interagency Council on Early Childhood Intervention is authorized to require local service providers to collect and submit to the Council personally identifiable information regarding children and their families, and related questions (RQ-0535-JC)

Dear Senator Nelson:

You ask whether the Texas Interagency Council on Early Childhood Intervention (the "Council") is authorized to require by contract that local service providers collect and submit certain information to the Council. It is not clear from your request whether the information at issue pertains only to children and families served by the Council and local service providers or whether you are also concerned about other kinds of information. Given the complexity of federal law governing the Council and local service providers, we limit our analysis in this opinion to information about children and their families. We conclude that the Council is authorized by state and federal law to require local service providers to submit information about children and their families for the purpose of evaluating federally and state funded programs, but that the Council may not redisclose the information except in compliance with federal law.

Subchapter III of the federal Individuals with Disabilities Education Act, 20 U.S.C. § 1400-1487 (2000) ("IDEA"), as amended in 1997, see Pub.L. No. 105-17, 111 Stat. 37, establishes a federal program pursuant to which the United States provides financial assistance to states to develop a statewide system to provide early intervention services to infants and toddlers under three years of age, see 20 U.S.C. § 1431-1445 (2000). This portion of the IDEA is commonly referred to as Part C, see Pub.L. No.105-17, 111 Stat. 37, and is distinct from Part B, which addresses services for children three years of age and older. Both Part C of the IDEA and the federal rules promulgated under Part C, see 34 C.F.R. pt. 303 (2002) ("Early Intervention Program for Infants and Toddlers with Disabilities"), require each state to have a "lead agency" designated by the governor in order to be eligible for federal funding. See 20 U.S.C. § 1434, 1435(a)(10) (2000); 34 C.F.R. § 303.142 (2002).

Under Texas law, the Council is "the lead agency designated by the governor" under the IDEA "for the administration, supervision, and monitoring of a statewide comprehensive system of early intervention services." Tex. Hum. Res. Code Ann. §73.0051(a) (Vernon 2001). The purpose of these services is to ensure that infants and toddlers who have developmental needs or who are at risk for developmental delay "receive services that are provided in partnership with their families and in the context of their local community." Id. The Council is responsible for seeking evaluation of each child referred for services and for referring the child to a program that can meet the child's needs. See id. § 73.009. The Council is authorized to select providers of services, see id. § 73.011, and to enter into, administer, and monitor contracts with providers "for programs and projects authorized under this chapter," id. § 73.0051(c). We will refer to these providers as "local service providers," a term used in the federal rules. See, e.g., 34 C.F.R. § 303.5(b)(3) (2002).

The Council has recently inserted terms into its contracts with local service providers that require them to collect and submit to the Council information about the children and families they serve. You ask what legal authority allows the Council "to contractually demand that" local service providers "collect and disclose such individually identifiable information to the agency."¹ We conclude that chapter 73 of the Human Resources Code authorizes the Council to require service providers to collect and submit information to the Council. In addition, Part C of the IDEA and the federal rules applicable to the information permit local service providers to transfer information about children to the Council.

"[A] state administrative agency has only those powers that the Legislature expressly confers upon it. But an agency may also have implied powers that are reasonably necessary to carry out the express responsibilities given to it by the Legislature."Pub. Util. Comm'n v. City Pub. Serv. Bd., 53 S.W.3d 310, 315 (Tex. 2001). Although no provision in chapter 73 of the Human Resources Code expressly authorizes the Council to require local service providers to submit information about children and families receiving services funded by the Council, this authority may be implied from the Council's express statutory duties.

First, as we have noted, the Council is authorized by section73.0051(c) of the Human Resources Code to "enter into, administer, and monitor contracts with providers." Tex. Hum. Res. Code Ann. § 73.0051(c) (Vernon 2001). Section 73.011 requires the Council to select providers that will provide the best value, taking into account such factors as past performance and the quality and cost of the provider's services. See id. § 73.011(a), (c). These provisions authorize the Council to require a local service provider to collect and submit to the Council information that will allow the Council to monitor the contract and to assess the provider's performance.

The federal rules under Part C of the IDEA require a statewide system to include a process for collecting data from agencies and service providers in the state. See 34 C.F.R. § 303.540 (2002). Section 73.0051(k) of the Human Resources Code requires the Council to "select an appropriate automated system . . . to plan, manage, and maintain records of client services." Tex. Hum. Res. Code Ann. § 73.0051(k) (Vernon 2001). This provision clearly authorizes the Council to require local service providers to collect and submit information that will enable the Council to plan, manage, and maintain records of client services. The phrase "records of client services" suggests the legislature intends the Council to maintain records regarding individual clients and the services they receive. Section 73.0051(k) impliedly authorizes the Council to require local providers to submit information about children and families receiving services funded by the Council.

The IDEA does not prohibit but rather expressly contemplates that lead agencies, such as the Council, may obtain personally identifiable information about the children and families to whom they provide services. Under Part C of the IDEA, a statewide system must provide certain procedural safeguards, including "[t]he right to confidentiality of personally identifiable information, including the right of parents to written notice of and written consent to the exchange of such information among agencies consistent with Federal and State law."20 U.S.C. § 1439(a)(2) (2000). A federal rule adopted under the authority of this provision requires each state to "adopt or develop polices and procedures that the State will follow in order to ensure theprotection of any personally identifiable information collected, used, or maintained under this part." 34 C.F.R. § 303.460(a) (2002) (emphasis added). "Personally identifiable information" is defined by the applicable rules to mean:

(1) The name of the child, the child's parent, or other family member;

(2) The address of the child;

(3) A personal identifier, such as the child's or parent's social security number; or

(4) A list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty.

Id. § 303.401(c).

Part C of the IDEA itself is silent with respect to whether local service providers may submit personally identifiable information about children to lead agencies, but the Part C rules permit a transfer of information from a local service provider to a lead agency by incorporating the rules for disclosure of personally identifiable information in student records promulgated under the Family Educational Rights and Privacy Act of 1974,20 U.S.C. § 1232g (2000) (FERPA).

Part B of the IDEA expressly requires the United States Secretary of Education in 20 U.S.C. § 1417 to "take appropriate action" in accordance with FERPA, "to assure the protection of the confidentiality of any personally identifiable data, information, and records collected or maintained . . . by State and local educational agencies pursuant to the provisions" of Part B. Seeid. § 1417(c). Thus, Part B records are accorded the same protections as education records under FERPA. The FERPA framework is an apt one for Part B records as Part B of the IDEA establishes a federal program to assist states to provide special education and other services to children aged three and older, generally in the context of public school systems. See id. §§ 1411-1419.

Section 1417 applies to programs authorized by Part C "to the extent not inconsistent with" Part C. See id. § 1442. In addition, the United States Department of Education has mandated that states accord Part C records the same procedural safeguards accorded to Part B records, including the FERPA protections. See34 C.F.R. § 303.460(b) note (2002) ("The part B provisions incorporate by reference the regulations in 34 C.F.R. part 99 (Family Educational Rights and Privacy); therefore, those regulations also apply to this part."). As applied to Part C information, a reference in the Part B rules to a "[s]tate educational agency" means the "lead agency" and a reference to a "[p]articipating agency" means a "local service provider." Id. § 303.5(b)(1), (3); see also 20 U.S.C. § 1442(1), (2) (2000). Thus, the framework for protecting confidentiality of student information generally applicable to state educational agencies and schools for school age children has been extended to lead agencies and local service providers for infants and toddlers.

The FERPA regulations permit a local education agency to disclose personally identifiable student information to state educational authorities without parental consent subject to the requirements of section 99.35 of the FERPA rules. See 34 C.F.R. § 99.31(a)(3) (2002). Section 99.35(a) permits a state educational authority to "have access to education records in connection with an audit or evaluation of Federal or State supported education programs." Id. § 99.35(a). This rule would appear to authorize a local service provider to transfer personally identifiable information to a lead agency, such as the Council, without parental consent for the purpose of monitoring contracts with local service providers, which constitutes an evaluation of a federal or state supported program. See generally Tex. Att'y Gen. Op. No. JC-0333 (2001) at 4-5 (noting that school districts disclose personally identifiable student information to the Texas Education Agency without parental consent for Public Education Information Management System).

In a related question, you ask what "consent must be obtained from which affected individuals, and how often must the consent be obtained." Request Letter, supra note 1, at 3. The consent requirements of the FERPA regulations, 34 C.F.R. part 99, apply to Part C information. See 34 C.F.R. § 303.404 note 1 (2002); seealso id. § 303.460 note (34 C.F.R. part 99 also applies to Part C regulations). The Council's rule on confidentiality and consent also refers to the FERPA rules. See 25 Tex. Admin. Code § 621.43(12)(A) (2002).

Generally, under the FERPA rules, personally identifiable student information may not be disclosed without parental consent. See34 C.F.R. § 99.30 (2002). However, as discussed above, the FERPA regulations permit a local education agency to disclose personally identifiable student information to state educational authorities without parental consent subject to the requirements of section 99.35 of the FERPA rules, see id. § 99.31(a)(3), "in connection with an audit or evaluation of Federal or State supported education programs." Id. § 99.35(a). This rule authorizes a local service provider to transfer personally identifiable information about a child to a lead agency, such as the Council, without parental consent for the purpose of monitoring contracts with local service providers, which constitutes an evaluation of a federal or state supported program.

Under section 99.35(b), information that is collected under section 99.35(a) must "[b]e protected in a manner that does not permit personal identification of individuals by anyone except the officials referred to in paragraph (a) of this section" and must "[b]e destroyed when no longer needed for the purposes listed in paragraph (a)." Id. § 99.35(b). These requirements do not apply if the parent has given written consent for the disclosure or if the collection of personally identifiable information is "specifically authorized" by federal law. Id. § 99.35(c). Although the FERPA rules clearly allow the transfer of personally identifiable information by local service providers to a lead agency for certain purposes, see id. § 99.35(a), we are not aware of any federal law specifically authorizing the Council to collect personally identifiable information. Thus, if there is no written consent for the disclosure, the Council must adhere to the requirements of section 99.35(b) by protecting the information "in a manner that does not permit personal identification of individuals" except by Council officials and by destroying the information when it is no longer needed to monitor contracts. See id. § 99.35(b).

You also ask "what legal and procedural safeguards must the agency follow to reduce the likelihood of any improper disclosure of the information." Request Letter, supra note 1, at 3. Importantly, any redisclosure of information by the Council must be permitted by FERPA. See 34 C.F.R. § 99.33 (2002). In addition, Part C of the IDEA, see 20 U.S.C. § 1439(a)(2) (2000), and the federal rules under Part C require each state to develop policies and procedures that the state will follow to "ensure the protection of any personally identifiable information collected, used, or maintained under this part, including the right of parents to written notice of and written consent to the exchange of this information among agencies consistent with Federal and State law," 34 C.F.R. § 303.460(a) (2002). In addition, the Part C rules provide that such state policies and procedures must also meet the requirements of rules setting forth procedural safeguards for confidentiality of information in 34 C.F.R. § 300.560 through 300.576 of the Part B rules, see id. § 303.460(b).

The Part B rules applicable to Part C information establish a number of procedures and protections. For example, they require the Council, as a lead agency, to give notice that is adequate to fully inform parents about such matters as "the children on whom personally identifiable information is maintained, the types of information sought, the methods the State intends to use in gathering the information (including the sources from whom information is gathered), and the uses to be made of the information"; "the policies and procedures that [local service providers] must follow regarding storage, disclosure to third parties, retention, and destruction of personally identifiable information"; and "the rights of parents and children regarding this information, including the rights under the Family Educational Rights and Privacy Act of 1974 and implementing regulations in 34 C.F.R. part 99." Id. § 300.561. In addition, the Council must provide "policies and procedures, including sanctions, that the State uses to ensure that its policies and procedures are followed and that the requirements of the Act and the regulations in this part are met." Id. § 300.575; see also 25 Tex. Admin. Code § 621.43 (2002) (Council's rule on confidentiality).

You ask whether "any federal or state constitutional provisions or laws prohibit or limit the scope" of the information that the Council may require local service providers to collect and submit to the Council. Request Letter, supra note 1, at 3. Again, Part C of the IDEA appears to contemplate that a lead agency may obtain personally identifiable information about children and families from local service providers, and the Part C rules, by incorporating the FERPA rules, permit a local service provider to transfer information to a lead agency without parental consent for the purpose of auditing or evaluating a federal or state supported program. Under this FERPA exception, the information collected must be information the lead agency will use to audit or evaluate a program. In addition, we note that section 73.009 of the Human Resources Code provides that "[s]ervices under this section shall be provided in a manner that minimizes intrusion into family privacy." Tex. Hum. Res. Code Ann. § 73.009(c) (Vernon 2001). While this limitation does not prevent the Council from requiring providers to collect necessary information and from requiring the submission of such information to the Council, the Council shall tailor its data collection to minimize intrusion into family privacy. Finally, it has been suggested that the Public Information Act, chapter 552 of the Texas Government Code, may limit the information the Council may obtain from local service providers. That Act governs when information in the possession of a governmental body must be publicly disclosed; it does not govern the scope of information that a governmental body, such as the Council, may collect from the contractors it pays to provide services. See Tex. Gov't Code Ann. §§ 552.001-.353 (Vernon 1994 Supp. 2002).

You ask what remedies affected individuals would have against the Council for any improper disclosure of personally identifiable information by the Council. The Council has a procedure for reviewing a complaint "alleging that a requirement of the [IDEA] or applicable federal and/or state regulation has been violated." 25 Tex. Admin. Code § 621.42 (2002). An individual who believes that the Council has improperly disclosed personally identifiable information about his or her child in violation of FERPA and the Part C rules could file a complaint with the Council under this procedure. The Council's procedure, however, does not provide any specific remedy for improper disclosure of information. See id.

With respect to other state laws, information made confidential under FERPA is also confidential under the Public Information Act. See Tex. Gov't Code Ann. §§ 552.026 (Vernon 1994) ("This chapter does not require the release of information contained in education records of an educational agency or institution, except in conformity with the Family Educational Rights and Privacy Act of 1974, Sec. 513, Pub.L. No. 93-380, 20 U.S.C. § 1232g."), .101 ("Information is excepted from the requirements of Section 552.021 if it is information considered to be confidential by law, either constitutional, statutory, or by judicial decision."); Tex. Att'y Gen. ORD-634 (1995) (information that is protected by FERPA may be withheld as confidential information under section 552.101). The Public Information Act provides that a person commits official misconduct "if the person distributes information considered confidential under the terms of this chapter," an offense punishable by a fine of not more than $1,000, up to six months of confinement, or both. Tex. Gov't Code Ann. § 552.352 (Vernon 1994).

The Public Information Act does not provide a civil remedy for the release of confidential information. Although Texas courts recognize some common-law privacy torts,² the Council, as a state agency, is immune from suit except to the extent the state has waived its immunity. As a general matter, "the state does not waive its immunity [under the Tort Claims Act] by using or misusing information." Axtell v. Univ. of Tex., 69 S.W.3d 261,267 (Tex.App.-Austin 2002, no pet.) (holding that student's claim for harm caused by the disclosure of confidential information did not state a cause of action under section 101.021(2) of the Tort Claims Act); see also City of Beaumont v. Bouillion,896 S.W.2d 143 (Tex. 1995) (holding that Texas recognizes neither an implied private right of action nor a common-law cause of action for damages for violation of constitutional rights).

With respect to remedies available under federal law, the Department of Education may deny funding to a state program that fails to comply with the requirements of Part C of the IDEA. See20 U.S.C. § 1416 (2000) (authorizing Secretary of Education to withhold funding upon a finding "that there has been a failure by the State to comply substantially with any provision of this subchapter" or "that there is a failure to comply with any condition of a local educational agency's or State agency's eligibility under this subchapter"), 1434 (to be eligible for Part C grant, state must have "a statewide system that meets the requirements of section 1435 of this title"), 1435(a)(13) (requiring statewide system to have "[p]rocedural safeguards with respect to programs under this subchapter, as required by section 1439 of this title"), 1439(a)(2) (minimum procedural safeguards include "[t]he right to confidentiality of personally identifiable information, including the right of parents to written notice of and written consent to the exchange of such information among agencies consistent with Federal and State law"), 1442 (providing that 20 U.S.C. § 1416 applies to Part C of the IDEA); see also 34 C.F.R. § 300.580-.589 (2002) (Part B enforcement procedures); 303.5(a)(3) (specifically incorporating 34 C.F.R. § 300.580-.585 into Part C rules).

We have not located any case law addressing disclosure of personally identifiable information collected under Part C of the IDEA. We have located a 1992 federal district court case regarding the release of information subject to Part B of the IDEA. See Sean R. v. Bd. of Educ., 794 F. Supp. 467 (D.Conn. 1992). In that case, a local school board released to a newspaper the name of a child and his parents. Ruling on the school board's motion to dismiss, the court concluded that the plaintiffs, the child and his parents, had a reasonable expectation of privacy under the IDEA and its rules that was protected under the United States Constitution and therefore had a cause of action under thefourteenth amendment and 42 U.S.C. § 1983. See Sean R.,794 F. Supp. at 469. The court also held that the plaintiffs had a right of action under 42 U.S.C. § 1983 for violation of the IDEA. See id. at 469-70. In the intervening years, however, the IDEA has been amended and there is a split between the federal circuit courts regarding whether 42 U.S.C. § 1983 may be used to redress violations of the IDEA and the extent to which the states are immune from suit under the IDEA. See, e.g., Padilla v. Sch. Dist.No. 1, 233 F.3d 1268, 1272-74 (10th Cir. 2000) (describing circuit split with respect to whether the IDEA may provide a basis for 42 U.S.C. § 1983 claims); Bradley v. Ark. Dept. of Educ.,189 F.3d 745, 750-52 (8th Cir. 1999) (discussing IDEA and sovereign immunity); Marie O. v. Edgar, 131 F.3d 610 (7th Cir. 1997) (upholding 42 U.S.C. § 1983 action for declaratory and injunctive relief against state for failing to provide services under predecessor to Part C of the IDEA); see also Allan G. Osborne, Jr., Ed.D., Can Section 1983 be Used to RedressViolations of the IDEA?, 161 Ed. Law Rep. 21 (March 2002).

FERPA provides that federal funding for education will not be made available to an educational agency or institution that has a policy or practice of releasing "education records (or personally identifiable information contained therein other than directory information . . .) of students without the written consent of their parents to any individual, agency, or organization, other than" certain specified entities in certain limited circumstances. 20 U.S.C. § 1232g(b)(1) (2000); see also34 C.F.R. § 99.63-.67 (2002). A parent may file a written complaint with the Department of Education's Family Policy Compliance Office regarding an alleged violation of FERPA and or the FERPA regulations. See 34 C.F.R. § 99.63 (2002). While the Fifth Circuit has concluded that FERPA does not grant a private right of action, it has also held that an action under 42 U.S.C. § 1983 may be premised on an alleged violation of FERPA rights. See Tarka v.Cunningham, 917 F.2d 890 (5th Cir. 1990). However, the United States Supreme Court recently held that FERPA's nondisclosure provisions create no personal rights enforceable under42 U.S.C. § 1983. See Gonzaga Univ. v. Doe, 122 S. Ct. 2268 (2002). Thus, a private party may not bring a 42 U.S.C. § 1983 action for the improper release of records subject to Part C of the IDEA based on FERPA's nondisclosure provisions.

Finally, you ask what liability local service providers would have for improper disclosures of personally identifiable information by the Council and what remedies local service providers would have against the Council for improper disclosures of information. In the event a local service provider transfers information to the Council about children and their families in accordance with the Part C rules and the FERPA rules and pursuant to contractual requirements, we do not believe that the local service provider could have any liability for any subsequent improper disclosure of information by the Council. The Council, on the other hand, would risk losing its federal funding. See20 U.S.C. § 1232g(b)(1), 1416, 1434, 1435, 1439, 1442 (2000);34 C.F.R. § 99.63-.67 (2002). And, as we have noted, the Public Information Act applies to personally identifiable information in the possession of the Council and provides that a person commits official misconduct "if the person distributes information considered confidential under the terms of this chapter," an offense punishable by a fine of not more than $1,000, up to six months of confinement, or both. Tex. Gov't Code Ann. § 552.352 (Vernon 1994); see also id. §§ 552.026 ("This chapter does not require the release of information contained in education records of an educational agency or institution, except in conformity with the Family Educational Rights and Privacy Act of 1974, Sec. 513, Pub.L. No. 93-380, 20 U.S.C. § 1232g."), .101 ("Information is excepted from the requirements of Section 552.021 if it is information considered to be confidential by law, either constitutional, statutory, or by judicial decision.").

SUMMARY The Texas Interagency Council on Early Childhood Intervention is authorized by state and federal law to require local service providers to submit personally identifiable information about children and their families for the purpose of evaluating federally and state funded programs. The Council may not redisclose the information except in compliance with federal law. In addition, the Public Information Act applies to such information in the possession of the Council and provides that a person commits official misconduct "if the person distributes information considered confidential under the terms of this chapter," an offense punishable by a fine of not more than $1,000, up to six months of confinement, or both. Tex. Gov't Code Ann. § 552.352 (Vernon 1994); see also id. §§ 552.026 ("This chapter does not require the release of information contained in education records of an educational agency or institution, except in conformity with the Family Educational Rights and Privacy Act of 1974, Sec. 513, Pub.L. No. 93-380, 20 U.S.C. § 1232g."), .101 ("Information is excepted from the requirements of Section 552.021 if it is information considered to be confidential by law, either constitutional, statutory, or by judicial decision.").

Yours very truly,

JOHN CORNYN Attorney General of Texas

HOWARD G. BALDWIN, JR. First Assistant Attorney General

NANCY FULLER Deputy Attorney General — General Counsel

SUSAN DENMON GUSKY Chair, Opinion Committee

Mary R. Crouter Assistant Attorney General, Opinion Committee

¹ Letter from Honorable Jane Nelson, Chair, Committee on Nominations, Texas Senate, to Honorable John Cornyn, Texas Attorney General, at 3 (Apr. 12, 2002) (on file with Opinion Committee) [hereinafter Request Letter].

² See Indus. Found. of the S. v. Tex. Indus. Accident Bd.,540 S.W.2d 668, 682 (Tex. 1976), cert. denied, 430 U.S. 931 (1977) (recognizing right to "freedom from public disclosure of embarrassing private facts"); Billings v. Atkinson,489 S.W.2d 858, 859-61 (Tex. 1973) (recognizing right to be free of intrusion into plaintiff's seclusion); see also Cain v. HearstCorp., 878 S.W.2d 577 (Tex. 1994) (declining to recognize the false light invasion of privacy action).