NCES-Data Stewardship Document - 2011602

7/28/2019 NCES-Data Stewardship Document - 2011602

1/19

SLDS Technical BriefGuidance for Statewide Longitudinal Data Systems (SLDS)

November 2010, Brief 2NCES 2011-602

Data Stewardship: Managing Personally Identifiable Information in

Electronic Student Education Records

Contents

Data Stewardship Defined ..............1

Conduct an Inventory ofPersonally IdentifiableInformation ................................2

Implement InternalProcedural Controls toProtect Personally IdentifiableInformation ................................8

Provide Public Notice ofEducation Record Systems ........13

Accountability and Auditing ........16

References ....................................18

SLDS Technical Briefs are intendedto provide best practices forconsideration by states developingStatewide Longitudinal Data Systems.

For more information, contact:Marilyn SeastromNational Center for EducationStatistics(202) [email protected]

The growth of electronic student data in Americas education system has focusedattention on the ways these data are collected, processed, stored, and used. Theuse of records in Statewide Longitudinal Data Systems to follow the progress ofindividual students over time requires maintaining student education records thatinclude information that identifies individual students. The sensitivity of someof the personally identifiable information in student records increases the levelof concern over these data. Administrators and data managers can help ensure

the protection of personally identifiable information in the student records theymaintain by developing and implementing a privacy and data protection program.The principles embodied in the Fair Information Practices adopted in the UnitedStates by the Federal Chief Information Officers Council and the Department ofHomeland Security, coupled with the Family Educational Rights and Privacy Act(FERPA) and related regulations, provide a foundation for such a program.

Data Stewardship Defined

In 1973, the Department of Health Education and Welfare (HEW) reportRecords, Computers and the Rights of Citizens: Report of the Secretarys AdvisoryCommittee on Automated Personal Data Systems discussed the need to maintain

data in the system with such accuracy, completeness, timeliness, and pertinenceas is necessary to assure accuracy and fairness in any determination relating to anindividuals qualifications, character, rights, opportunities, or benefits that maybe made on the basis of such data (pg. 6, Chapter IV). This was codified in thePrivacy Act of 1974 (5 U.S.C. 552a(g)(1)(C). More recently, on their website,the American Statistical Associations Committee on Privacy and Confidentialitycites the Census Bureaus definition of data stewardship as an organizationalcommitment to ensure that identifiable information is collected, maintained,used, and disseminated in a way that respects privacy, ensures confidentiality andsecurity, reduces reporting burden, and promotes access to statistical data forpublic policy. These two sets of requirements can be combined and tailored toeducation data as follows:

Data stewardship is an organizational commitment to ensure that data ineducation records, including personally identifiable information:

Are accurate, complete, timely, and relevant for the intended purpose;

Are collected, maintained, used, and disseminated in a way that respectsprivacy and ensures confidentiality and security;

Meet the goals of promoting access to the data for evaluating andmonitoring educational progress and educational programs; and

Meet the goals of assuring accuracy to ensure that decisions relating to anindividual students rights and educational opportunities are based on thebest possible information.


2/192 SLDS Technical Brief, Brief 2

These requirements are best operationalizedthrough written policies and procedures.Typically, in a system with multiple usesand users, the task of establishing andpromulgating policies and procedures is assignedto a Governance Committee that includesrepresentatives of management, legal counsel,the data system administrator, data providers,data managers, and data users. The members

representing these different stakeholders shouldbe appointed to the Governance Committee bythe head of the state education office, schooldistrict, or school, depending on the level wherethe affected data are held. This group should beestablished to work collaboratively to develop thepolicies and procedures for a privacy and dataprotection program. These policies would thenbe implemented by the data system administratorthrough the ongoing management of datacollection, processing, storage, maintenance,and use of student records. Any appeals of theestablished policies and procedures should be

directed to the appointing official.

In developing a statewide longitudinal datasystem, privacy and data protection plans must bein place in each entity that holds student records

with personally identifiable information. Thisincludes, for example, preschools, elementary andsecondary schools, postsecondary programs andinstitutions, and workforce training programs.It also includes different organizational levelswithin each of these components of the educationsystem; for example, elementary and secondaryschool data are typically held at the school,district, and state levels. Whether they are

developed separately at each level or as a part ofa unified approach across levels, efforts must beundertaken to ensure that the policies and rulesand regulations are compatible across levels. Forexample, in elementary and secondary education,there may be more information maintained in astudent education record at the school and districtlevel than is planned at the state level. In thiscase, if the privacy and data protection plans arebeing developed and promulgated from the statelevel, districts and schools must supplement theirplans to ensure that all personally identifiableinformation maintained about their students is

included. On the other hand, if each educationlevel is developing privacy and data protectionplans separately, efforts must be undertaken toensure that established policies and procedures arecomplementary and do not conflict.

Conduct an Inventory of Personally Identifiable Information

In order to ensure that the necessary dataprotections are in place, the GovernanceCommittee or a Data Subcommittee for each

entity that holds student records must firstidentify the personally identifiable data elementsthat need to be protected. Personally identifiable

information (PII) includes information that can beused to distinguish or trace an individuals identityeither directly or indirectly through linkages with

other information. In the case of education data,FERPA regulations (34 CFR 99.3).

The term personally identifiable information includes, but is not limited to:

1. The students name;

2. The name of the students parent or other family members;

3. The address of the student or students family;

4. A personal identifier, such as the students Social Security Number, student number,or biometric record;

5. Other indirect identifiers, such as the students date of birth, place of birth, and mothersmaiden name;

6. Other information that, alone or in combination, is linked or linkable to a specific studentthat would allow a reasonable person in the school community, who doesnot have personal knowledge of the relevant circumstances, to identify the student withreasonable certainty; and/or

7. Information requested by a person who the educational agency or institution reasonablybelieves knows the identity of the student to whom the education record relates.(34 CFR 99.3)


3/19NCES 2011-602 3

In conducting the inventory, the specific use of PIImust be taken into account. For example, whileFERPA has provisions to protect students right toprivacy, including the right to inspect and revieweducation records (20 U.S.C. 1232 (a); 34 CFR 99.10) and a requirement for consent to discloseinformation to unauthorized entities (20 U.S.C. 1232 (b); 34 CFR 99.30), FERPA permitsthe release of student directory information1 (20

U.S.C. 1232g(a)(5); 34 CFR 99.3). A schooldirectory may include PII such as a studentsname, grade level, and contact information. Taken

by itself, the release of this information is notharmful to a student. However, when combinedwith the students Social Security Number oranother identifier and the students educationrecord, this information has the potential forviolating a students right to privacy. The releaseof this combined record could lead to harmor embarrassment. Thus, the privacy and dataprotection program should focus on PII that will

be maintained in the electronic student recordsystem with its likely wealth of student data.2

Identify All Personally Identifiable and Sensitive Information

The inventory should include all current andproposed data elements (National Institute ofStandards and Technology [NIST], Guide toProtecting the Confidentiality of PersonallyIdentifiable Information (PII), 2010 SpecialPublication 800-122, pg. 2-2). It should alsoidentify both direct and indirect identifiers.

Direct identifiers provide information that isunique to the student or the students family (e.g.,name, address, Social Security Number, otherunique education-based identification number,photograph, fingerprints, or other biometricrecord). Indirect identifiers are not unique to thestudent or the students family but can be used incombination with other information about thestudent to identify a specific student (e.g., racialor ethnic identity, date of birth, place of birth,mothers maiden name, grade level, participationin a specific program, course enrollment).

An analysis of indirect identifiers should considerthe likelihood of identifying an individual studentboth as a result of a combination of multipledata elements included in the students educationrecord and as a result of linking the informationin education records to information includedin external databases. In the first instance, acombination of data elements within studenteducation records might reveal that there is onlyone student in a specific grade within a schoolwith a set of observable characteristics whoexperienced a negative academic outcome (e.g.,one Hispanic third-grader receiving instructionas an English language learner failed to reachtheproficientperformance level on the statereading assessment). In the second instance, if an

external database contains enough overlappingdata elements that are unique to an individualstudent, the two databases can be linked and anyadditional PII included in the external databasecan then be associated with that studentseducation record.

Linkage with information from an externalsource could occur as a result of a direct linkageby someone with access to two confidentialdata systems who is able to directly link the twodatabases (e.g., the student record linked to localpublic health records on sexually transmitteddiseases or local crime records) or as a result of aless direct linkage of information from a studentseducation record with information available inpublic records (e.g., the education record for a15-year-old Asian female includes participationin services for unmarried pregnant students, andpublic birth records could be used to identify

the father of the students child. Alternatively, aneducation record might show that a 13-year-oldfemale student was the victim of a violent assaultduring the school day on a specific date (withoutthe specifics of the assault). Meanwhile, a reportin a local newspaper, while protecting the directidentifiers of the victim, reveals some of the detailsof an assault on a female student in that school onthe same date).

At the elementary and secondary level, an analysisof the indirect identifiers should also considerwhether any of the data elements are protectedunder the Protection of Pupil Rights Amendment(PPRA) (20 U.S.C. 1232h; 34 CFR Part98). To protect the privacy and related rights of

1 Educational agencies or institutions are granted the authority, under FERPA, to publicly release directory information after providingpublic notice to the parents of students or to eligible students in attendance at the agency or institution of the types of personally identifiableinformation that the agency or institution has designated as directory information. The parent or the eligible student must also be given theright to refuse to have any or all of the students information released as directory information.

2 An electronic student record system, or information system, consists of a discrete set of information resources organized for the collection,processing, maintenance, use, sharing, dissemination, or disposition of [education] information. (44 U.S.C. 3502)



students and parents, the PPRA requires writtenparental consent before a minor student can berequired to participate in any survey, analysis,

or evaluation funded by the U.S. Department ofEducation that includes information concerningthe following:3

1. Political affiliations or beliefs of the student or parent;

2. Mental and psychological problems of the student or the students family;

3. Sex behavior or attitudes;

4. Illegal, anti-social, self-incriminating, and demeaning behavior;

5. Critical appraisals of other individuals with whom respondents have close familyrelationships;

6. Legally recognized privileged or analogous relationships, such as those of lawyers, physicians,and ministers;

7. Religious practices, affiliations, or beliefs of the student or the students parent; or

8. Income (other than that required by law to determine eligibility for participation in a programor for receiving financial assistance under such program).

In the event any data elements underconsideration for inclusion in a student recordsystem involve any of these eight topics, thosedata elements should be included on the inventoryof PII and should be identified on the list asPPRA-related variables.

A number of data systems include data onstudents instructors. A teacher identificationnumber, a student-teacher link, and informationon the teachers education, certification, teachingassignments, and scores on teacher assessmentsare examples of the types of teacher data

elements that may be included at the preschool,elementary, and secondary levels. A facultyidentification number, a student-faculty link,

and information on the faculty members field,education, tenure status, credit hours taught in therelevant academic period, and amount of fundedresearch may be included at the postsecondarylevel. Although FERPA and the definitions givenrefer specifically to students, PII on teachers andany other staff that are maintained as part of theelectronic record system should be included inthe inventory of PII and protected in the sameway as the student data. Apart from the fact thatprotecting any PII is a best practice, when facultyand staff data are linked to the students record,they become indirect identifiers for the student

record and can be used to identify individualstudents.

3 Under PPRA (20 U.S.C. 1232h; 34 CFR Part 98), school districts receiving funds from the U.S. Department of Education are required toprovide annual parental notification of their policies concerning students rights and of the specific or approximate dates during the schooyear of any survey that is scheduled to be administered to students if the survey includes any of the eight restricted topics, regardless osurvey funding.


5/19NCES 2011-602 5

Confirm the Need to Maintain Personally Identifiable Information

The Fair Information Practice ofDataMinimization and Retention calls for onlycollecting personally identifiable information thatis directly relevant and necessary to accomplishthe specified purpose(s). [And for] only retainingpersonally identifiable information for as long asis necessary to fulfill the specified purpose(s).In addition, the Fair Information Practice of

Purpose Specification calls for specificallyarticulating the purpose or purposes for whichthe PII is intended to be used. Once the list ofcurrent or planned PII in an education record iscompleted, the planned uses should be identifiedfor each data element (NIST, Guide to Protectingthe Confidentiality of Personally IdentifiableInformation (PII), 2010 Special Publication800-122, pg. 34). Decisions should be made asto whether each data element is needed.

The National Forum on Education Statistics4identified the following K12 administrative usesof student education records in the 2004 reportForumGuide to Protecting the Privacy of StudentInformation: State and Local Agencies (pg. 44):

INSTRUCTIONTeacher and counselorsneed information about an individualstudents previous educational experiencesand any special needs the student might haveto deliver appropriate instruction and servicesand to plan educational programs; parentcontact information is needed to keep parentsinformed of student progress.

OPERATIONSSchools and districts needdata for individual students to ensure theefficiency of day-to-day functions such asattendance records, meeting individualstudents special needs, handling individualstudents health problems, and operating foodservice and transportation programs.

MANAGEMENTSchools, districts, andstate education agencies use data aboutstudents for planning and schedulingeducational programs and for the distribution

of resources.

ACCOUNTABILITYSchools, districts,and state education agencies use dataabout students and about individualstudents progress to provide informationabout students accomplishments andthe effectiveness of schools and specificeducational programs.

RESEARCH AND EVALUATIONSchools,local, state, and federal education agenciesuse data about students and about individualstudents progress to conduct analysisof program effectiveness, the successof student subgroups, and changes inachievement over time to identify effectiveinstructional strategies and to promote schoolimprovement.

Recent legislative initiatives provide funds forstates to develop and implement statewidelongitudinal data systems to support data-drivendecisions to improve student learning and tofacilitate research to increase student achievementand close achievement gaps.5 These data systemsare intended to enhance the ability of states tomanage, analyze, and use education data. Thesupporting legislation calls for an expansion inthe amount of information included in studenteducation records, including linkable student andteacher identification numbers and student andteacher information on student-level enrollment,demographics, program participation, testrecords, transcript information, college readiness

test scores, successful transition to postsecondaryprograms, enrollment in postsecondary remedialcourses, and entries and exits from variouslevels of the education system. To facilitate theusefulness of this information, the legislationalso calls for an alignment between P12 andpostsecondary data systems, which requireslinkages between student and teacher records,between preschool and elementary education, andbetween secondary and postsecondary educationand the workforce.6 These linkages requiredata sharing across different components of theeducation system.

4 This entity is a part of the National Cooperative Education Statistics System, which is authorized in law (20 U.S.C. 9547). It wasestablished and is supported by the National Center for Education Statistics for the purpose of assisting in producing and maintainingcomparable and uniform information and data on early childhood education and elementary and secondary education. To this end, theNational Forum proposes principles of good practice to assist state and local education agencies.

5 Educational Technical Assistance Act of 2002, Title II of ESRA, 20 U.S C. 9607.

6 The America COMPETES Act, 20 U.S.C. 9871 identifies data elements that are important in statewide longitudinal data systems, TitleVIII of the American Recovery and Reinvestment Act of 2009 (ARRA, Pub. L. 111-5), authorizes funds to the Institute of Education Sciencesto carry out section 208 of the Educational Technical Assistance Act, $250,000,000, which may be used for Statewide data systems thatinclude postsecondary and workforce information, and Title XIV of this Act requires states accepting funds under this Act to establishstatewide longitudinal data systems that incorporate the data elements described in the America Competes Act.



Some of the uses of education data require PIIfrom individual students records; others useaggregated student data for one point in timethat are derived from information included ineducation records; others use aggregate studentdata that are derived from longitudinal data onindividual students; still others use individualstudent level data linked across levels of theeducation system. Thus, some uses require

access to PII, including the students names andcontact information, and, in some cases, linkedlongitudinal data; some may require detailedlinked longitudinal data included in studentrecords but do not require access to the individualstudents names or other direct identifiers; stillothers may require nothing more than aggregatesof data for a single year, again with no need forany information on individual students. Lists ofthe specific anticipated uses and linkages of thedata can help to clarify data needs and to identifythose needs which do or do not require access toPII. In addition, given the utility of linking data

across sectors, care should be taken to ensure thatthe direct identifiers that are needed for accuratelinking across record systems are maintained.

The length of time student records are retained iscomplicated by the fact that students may need

to request information from education recordsas proof of credentials for employment purposesover the course of their workforce careers. Toprotect student privacy, while at the same timemaintaining student records, the GovernanceCommittee should develop a schedule andplan for migrating student education recordsto a retrievable archive following a studentscompletion at a specific level or departure due

to transferring or dropping out. This wouldpreserve the student education records for use indocumenting a students educational credentials(e.g., grade level and/or courses completed andgrades or scores earned, honors conferred) andwould allow for linkages across sectors and forretrospective evaluations of educational progress.At the same time, archiving historic studenteducation records in a secure environment thatis separate from the currently active componentsof an electronic student record system decreasesthe likelihood of unauthorized or inadvertentdisclosures of records belonging to former

students. Similarly, the Governance Committeeshould establish a plan for record destruction atsuch point in time when it is anticipated that therecords will no longer be needed.

Ensure Data Quality and Integrity

The Fair Information Practice ofData Qualityand Integrity calls for ensuring, to the greatestextent possible, that personally identifiableinformation is accurate, relevant, timely, and

complete for the purposes for which it is to beused. The issue of relevance will have alreadybeen addressed in the review of the specificuses and need for individual data items. Oncea decision is reached to maintain a specific dataelement in students education records, there is anobligation to ensure that the information includedis up to date and complete and that it accuratelyreflects the students educational experiences.Systems should be put in place to ensure the

regular periodic updating of student educationrecords with the most current and accurateinformation available for the intended purpose(e.g., an annual review and updating of student

course transcripts). In fact, in recognition of theimportance of these elements of student privacy,FERPA (20 U.S.C. 1232g (a) and the relatedregulations (34 CFR 99) acknowledge the rightof a parent to inspect and review his or her childs(or, in the case of an eligible student, his or herown) education record for accuracy and to ensurethat there are no violations of privacy with theright to request a correction or amendment.

Identify the Risk Level Associated with Dif ferent Types of Personally Identifiable Information

Not all personally identifiable data have the same Subcommittee should also evaluate the risk oflevel of sensitivity.7 Some personally identifiable harm associated with each personally identifiabledata elements are more identifiable and/or more data element. All PII included in a studentsensitive than others and may thus require more education record system must be protected, butelectronic security and more controls on access some may require additional protections (e.g.,to the data elements. To guide the organizations Social Security Numbers, disciplinary record,use of PII and the protections provided for such medical records).data, the Governing Committee or the Data

7 Sensitivity should be evaluated both in terms of the specific data element and other available personally identifiable data elements. Notthat an individuals SSN, medical history, or financial account information is generally considered more sensitive than an individuals phonenumber or ZIP code.


7/19NCES 2011-602 7

PII that is unique to a specific individual ismore identifiable than certain other personallyidentifiable data elements that may be shared withothers. For example, a students Social SecurityNumber, fingerprints, or other biometric dataare unique to an individual. In contrast, otherpersonally identifiable data elements, such asa ZIP code or date of birth may be shared bymultiple students.8

In evaluating the sensitivity of individualpersonally identifiable data elements, theGoverning Committee or the Data Subcommitteeshould take the potential for harm from anunauthorized or inadvertent disclosure intoaccount. In this context, harm refers to anyadverse effects that would be experienced byan individual whose PII was the subject of aloss of confidentiality, as well as any adverseeffects experienced by the organization thatmaintains the PII9 (NIST, Guide to Protectingthe Confidentiality of Personally Identifiable

Information (PII), 2010 Special Publication800-122, p. 3-1, 2). In the case of a student,

harm might include, for example, identity theft,discrimination, or emotional distress. The relatedharm to the organization responsible for theconfidentiality breach could include loss of publicconfidence and public reputation, administrativeburden of investigating the breach and ensuringnecessary remedial steps are taken, and financiallosses. To start the process of mitigating thedisclosure of harmful information, personally

identifiable data elements can be categorized bylevel of sensitivity (i.e., the likelihood of harmfrom an unauthorized disclosure)perhapsas high, medium, and low. Note that any dataelements identified as a PPRA-related variableshould be categorized as a high-risk data element.After the risk level is established, considerationshould be given to providing more protectionand more restrictions on access for the dataelements that are identified as highly sensitive.For example, these data elements might be storedapart from the rest of the student record in amore secure electronic environment, with access

limited to need to know circumstances for onlya subset of those with access to the system.

Summary

At this point the Governing Committee or its Data Subcommittee has inventoried and listed allpersonally identifiable data elements. The list includes descriptions of the following for eachpersonally identifiable data element:

Content/definition;

Type of identifierdirect or indirect;

PPRA related variable status;

Specific use(s) and relevance;

Accuracy;

Timeliness for the intended use; and

High, moderate, or low risk of harm from disclosure.

After a thorough review of the list, the Governing Committee should decide whether to retain allexisting personally identifiable data elements and whether to go forward with the inclusion of anyadditional proposed personally identifiable data elements. The inventory of personally identifiabledata should be updated each time new data elements are considered for inclusion in the student

record data system.

8 It is important to note, however, groups of the less sensitive identifiers can be combined to identify specific individuals. For example,researcher Latanya Sweeney used public anonymous data from the 1990 census to show that the combination of the five-digit residentialZIP code, gender, and exact date of birth could likely lead to the identification of 87 percent of the population in the United States (in 2005testimony before the Pennsylvania House Select Committee on Information Security, House Resolution 351, Recommendations to Identifyand Combat Privacy Problems in the Commonwealth).

9 Harm to an individual includes any negative or unwanted effects (i.e., that may be socially, physically, or financially damaging).



Implement Internal Procedural Controls to Protect PersonallyIdentifiable Information

The Fair Information Practice ofSecurity calls forProtecting personally identifiable information(in all media) through appropriate administrative,technical, and physical security safeguards againstrisks such as loss, unauthorized access or use,destruction, modification, or unintended orinappropriate disclosure. There are a variety ofinternal controls that can be employed to assistprocedurally in the management of personallyidentifiable data.10 The first set is a technicalsolution that involves assigning new uniquestudent identifiers to protect students PII inlongitudinal electronic data systems. The secondset focuses on procedures for workforce securityto ensure that only authorized staff members aregiven access to personally identifiable studentrecords. The third set combines aspects of the first

two sets of controls in a role-based managementapproach that is intended to ensure that accessto each students education record is available ona need-to know basis. The fourth set involvesoperating rules for the conditions of use, such asrules concerning permissible uses and prohibitingunauthorized uses, procedures for protectingPII when it is in the possession of authorizedusers, and procedures for ensuring destructionof copies of records at the end of a period ofauthorized use. The fifth set of internal controlsinvolves planning for possible data breaches byestablishing procedures for reporting knownor suspected breaches, analyzing the causesand impact of breaches, and notifying affectedindividuals.

Unique Student Identifiers and the Use of Linking Codes as Controls for Sensitive Information

In order to monitor the educational progressand experiences of individual students as theyprogress through the education system, a uniquerecord identifier is needed to link each studentselectronic record across grade levels and acrossschools, institutions, and related educationalprograms. Once attached to a student record, thisidentifier becomes part of that students PII, as itmust be unique to the student to be useful.

Each child already has a unique Social Security

Number that could also be used to link toinformation in a student record system withinformation from education-related activities inother social service programs (e.g., Head Startor family services); thus, this might seem like thelogical number to use as the student identifier inan electronic student record system in a K12or postsecondary setting. However, the SocialSecurity Number should be treated as a sensitivepiece of PII. In addition to being used to tracka number of official electronic transactions, it isthe single most misused piece of information bycriminals perpetrating identity thefts. Using it on

a day-to-day basis in an electronic student recordsystem increases the possibility of a harmfuldisclosure that has ramifications beyond thestudents education record. Instead, a separateunique student identifier that is distinct from thestudents Social Security Number should be usedon a day-to-day basis in an electronic recordsystem.

The unique student identification number canbe assigned at the school, district, or state level;however, care must be taken to ensure thatwithin any record system each student has onlyone assigned identification number and that twostudents do not share the same identificationnumber. If student records from separate schoolswithin a district form a district-wide studentrecord system, the student identification numbersshould be assigned at the district level to ensurethat each student in the district has a single

unique identification number. Similarly, if all ofthe school districts in a state form a state-widestudent record system, the student identificationnumbers should be assigned at the district level toensure that each student in the state has a singleunique identification number.

Each students Social Security Number should bemaintained as a data element in student recordsystem because of the important role it plays whenlinkages are needed to other record systems (e.g.,across states or across education levels within astate); however, consideration should be given to

storing the students Social Security Number in aseparate secure location. To link the Social SecurityNumber back to the rest of the students record,a separate linking code must be assigned to eachstudents record. By attaching a linking code toeach students record, the students Social SecurityNumber, any other highly sensitive studentinformation, and a copy of the linking code could

10 There are also a number of electronic controls that can be implemented to assist in the management of personally identifiable data. Theywill be covered in a Technical Brief on electronic security.


9/19NCES 2011-602 9

be stored in a separate secure location apart fromthe student record that is used on a day-to-daybasis. The linking code should not be based on astudents Social Security Number or other personalinformation, should not be used to identify astudents personal information, and should only beused for linking different components of individualstudent records.

Only a limited number of staff should haveknowledge of the method used to generate thelinking code. Further, only a limited numberof authorized staff should have access to thesecured sensitive information and should bepermitted to use the linking code to combine twosets of records. Minimizing the number of timesa students Social Security Number and othersensitive data are accessed and limiting accessto this information to a small set of authorizedpersons can help prevent unauthorized andinadvertent disclosures of the Social SecurityNumbers and other sensitive data.

Each student record system could use its ownunique internal linking codes. Then, when recordlinkages are needed across different recordsystems (e.g., between states when a studentmoves or between a secondary school data systemand a postsecondary institutions data system),each system can use its linking code to link thestudent record to the secured Social SecurityNumber. The record(s) with Social Security

Numbers attached should be safely transmitted tothe administrator of the receiving record systemand then stored in a secure environment until therecords from the two separate systems are linkedby matching the Social Security Number from thetwo record systems. Once the linked file is createdand the data are checked, the Social SecurityNumber should be removed from the combinedfile, and each students linking code and SocialSecurity Number is again securely stored.

Workforce Security and Authorization for Access to Personally Identifiable Information

Students and their parents provide the PIIrequested by the education system, with anexpectation that the confidentiality of the informa-tion provided will be protected. To ensure thatthis expectation is fulfilled, administrators havea responsibility to confirm the trustworthiness ofemployees to whom sensitive student informationis entrusted. This can be done through the use ofsecurity screenings, training, and binding confi-dentiality pledges.

PII carries a potential for misuse. As a result, it isadvisable to require security screenings for staffmembers whose job responsibilities require themto have access to PII in student education records.The screening might include a backgroundinvestigation using written, electronic, telephone,or personal contact to determine the suitability,eligibility, and qualifications of a staff member foremployment.11

Administrators should establish job descriptionsthat delineate any uses of information that requireaccess to PII from student education recordsAdministrators should then provide annuallyrecurring training to inform each employee withany job responsibilities that involve studenteducation records of all legal and regulatorysafeguard requirements that apply to the useand the design, development, operation, or

maintenance of electronic student educationrecords. The training should also cover allrules and procedures that are in place to ensurecompliance with the safeguard requirements.Finally, the training should inform employeesof the penalties that apply to the misuse of theinformation in student education records (NIST,Guide to Protecting the Confidentiality ofPersonally Identifiable Information (PII), 2010Special Publication 800-122, p. 4-1, 2, 3).

Following training, signed Affidavits ofNondisclosure can be used when providing accessto confidential data to help ensure awarenessof and compliance with all laws, regulations,rules, and procedural protections that apply.The affidavit should include the following:

The time period approved for access;

A pledge to protect the personally identifiabledata in each students education record;

Citations to relevant laws, regulations, andrules;

A description of penalties for violations; and

An affirmation that the staff member hasread and is aware of the documentation ofthe rules for handling and using studenteducation records.

11 The U.S. Department of Education requires all staff and contractors with access to personally identifiable information to undergo asecurity screening.



Requiring each authorized staff person to sign anAffidavit of Nondisclosure prior to being grantedaccess to student education records fulfills theconfidentiality pledge function.

Affidavits of Nondisclosure can be maintained toprovide a record of the fact that each authorizedstaff member affirmed his or her commitment toprotect the PII in student education records.

Once the affidavit is in place and access is grantedthere are additional electronic mechanisms thatcan be used to protect the student educationrecords and to monitor and record access and usefor auditing and accounting purposes. Electronicsecurity will be addressed in a separate TechnicalBrief.

Role Based Access to Student Record Data

As mentioned briefly in the discussion of jobdescriptions, the student information needed on aday-to-day basis varies across groups of employeesdepending on their roles in the education system.For example, an elementary school teacher islikely to need regular access to student data onattendance, grades, and student performance onvarious assessments, but not necessarily accessto detailed information on the students medicalhistory or prior disciplinary actions. There are

also likely to be differences in the amount of PIIneeded across levels of the education system. Aprogram administrator for a district-wide programwith a specific emphasis, such as science, math, orthe arts, would need access to student educationrecords including academic history and studentsdirect identifiers to organize placements into suchprograms. Meanwhile, an analyst in the districtoffice who is responsible for generating aggregatedreports of student performance for submissionto the state education agency would need accessto the performance results but not the directidentifiers for individual students.

Once defined, the job descriptions can be usedto identify sets of data elements that are neededby groups of data users based on their roles inthe education system. Then, rather than allowingeach employee access to the full electronic studentrecord or restricting access to needed dataelements one user at a time, the database managergrants access to a set of data elements based on thedata users role.

This has been operationalized in statewide studentrecord systems by the use of different access levelsto protect personally identifiable and sensitiveinformation in students records. The MissouriStudent Information System documentation, DataAccess and Management Policy (pg. 6), offers aclear description of the goals in using access levelsin the following statement: All access levelsare assigned in a way that maximizes usage byeducators without risking inappropriate disclosure

of personally identifiable informationhttp://www.dese.mo.gov/MOSIS/.

When a state uses access levels to control accessto information in student records, the access levelmay control access to full records, with teachers,for example, being limited to students in theirassigned classes, and principals having access toall student records in the school. The access levelmay also be used to control access to specific dataelements (or fields) in the student records; finally,access levels can also be used to limit access toread only or to allow read and write access. In

some instances, these three dimensions of controlare used in combination (e.g., giving a teacherread and write access to a subset of data elementsin the student records for the students enrolledin the teachers class). As states develop systemsfor sharing student records across levels of theeducation system, the use of access levels can beexpanded to encompass different roles in data useacross levels.


11/19NCES 2011-602 11

Using Education Records

Once staff members have been authorized andgranted access to student education records, theymust abide by established rules and procedures forusing the dataconsistent with the terms agreedto in the Affidavit of Nondisclosure. Many of thesecurity controls involved in using the data willbe discussed in the Technical Brief on electronicsecurity. However, there is an interface between

access and use procedures and electronic security.Specifically, the Governance Committee shouldestablish rules that identify where student recordscan be accessed. Within the school or office theremay be restrictions placed on where staff memberscan access electronic student records. For example,access to the most sensitive information might belimited to specified secure locations, while accessto less sensitive information might be allowed ona wider range of terminals. There may also berestrictions on whether access to student records islimited to the school or office, or whether remoteaccess is permitted.

The use of access restrictions among authorizedusers will help protect the information in studentrecords from authorized users who might betempted to look at information they are notauthorized to access (i.e., browsing) or from otherunauthorized uses of student data. However,even among the staff members granted access tostudent records use of the information should belimited to permissible uses for the individual dataelements, as established in the data inventory.

To reinforce this, the Governance Committeeshould promulgate rules that prohibit browsingor unauthorized uses of information included instudent education records.

The Governance Committee should alsoidentify specific behaviors that could lead toinadvertent unauthorized access and establish

rules prohibiting these actions. For example,authorized data users should not share acomputer that houses identifiable student recordswith anyone not authorized to access thoserecords, and they should not leave student recorddata with PII on an unattended computer screen.In a similar vein, if staff members are authorizedto print hard copy of PII from student records,there should be rules that require secure storageof hard copy printouts or records (i.e., in alocked cabinet). In addition, if staff membersare authorized to copy PII from student recordsto a CD-ROM or flash drive, there should berules concerning security and protection of theseelectronic devices. There should also be recordretention rules that govern the length of time astaff member may maintain a local electroniccopy or subset of student record data and thelength of time that a staff member can maintainhard copy of PII from student records. Thereshould be complementary rules and proceduresthat govern the destruction of electronic and hardcopy extracts of student information at the endof the approved access period.

Breaches of Personally Identifiable Information

Every privacy and data protection plan shouldinclude a response plan for the appropriatehandling of a breach of PII if one occurs. TheNIST 2010 Guide to Protecting the Confidentialityof Personally Identifiable Information (PII),includes a detailed discussion of how to handledata breaches. In particular, the GovernanceCommittee should develop a clear description ofwhat constitutes a breach. That description shouldbe communicated to all staff members who areauthorized to access PII in student records, along

with a description of the immediate steps to take inthe event a security breach occurs or is suspected.In particular, there should be a designated personin the management chain to notify in the eventof known or suspected breaches involving PII.Contact information for the designated managershould be disseminated to all staff members,along with a list of the information that should beprovided when reporting a known or suspected

breach. The NIST 2010 Guide (Special Publication800-122, pg. 5-1, 2) recommends that the reportshould include the following information:

The name, job title, and contact informationof the person reporting the incident;

The name, job title, and contact informationof the person who discovered the incident;

Date and time the incident was discovered;

Nature of the incident (e.g., system levelelectronic breach, an electronic breach ofone computer or device, or a breach of paperextracts of records);

Description of the information lost orcompromised;



Name of electronic system and possibleinterconnectivity with other systems;

Storage medium from which information waslost or compromised;

Controls in place to prevent unauthorized useof the lost or compromised information;

Number of individuals potentially affected;and

Whether law enforcement was contacted.

Known or suspected breaches of PII from studentrecords should be reported as quickly as possiblein an effort to mitigate any adverse events resultingfrom the breach. The Governance Committeeshould establish a time span for the reportingrequirement (e.g., within one hour of discovery).The Governance Committee should also identifyin advance how, when, and to whom notifications

should be made (e.g., law enforcement, financialinstitutions, affected individuals, media, thepublic). Decisions concerning the breachnotification should also be made as to thefollowing:

Whether breach notification to affectedindividuals is required;

Timeliness of the notification;

General content of the notification;

Source of the notification (e.g., principal,superintendent, school board);

Means of providing the notification (e.g.,letter or public announcement);

Who receives the notification (e.g., only

affected individuals, general public);

Remediation options to be provided, if any(e.g., a free copy of credit report, creditmonitoring); and

What corrective actions were taken and bywhom.

When a breach occurs, the designated authorityshould conduct an analysis of the likelihoodof exposure and potential harm to affectedindividuals (e.g., in the case of student records did

the breach include Social Security Numbers andother information that could be used in identitytheft, or was it limited to PII about the affectedstudents educational performance). This analysiswill inform whether notification is required andthe content of breach notification that is providedto affected individuals. There should also be ananalysis of the circumstances that resulted in thebreach so that the system or procedures can bemodified as quickly as possible to avoid furtherbreaches through the same mechanism.

Summary

At this point, the Governing Committee or its Data Subcommittee has reviewed job descriptionsand identified the data elements needed for each position, identified authorization procedures forindividual staff, and developed rules of access for authorized staff. The Governing Committeeor a subcommittee has established a set of procedures to be used to assign unique studentidentification numbers for day-to-day use and has decided on a specific system architecture to beused in managing access to specific data elements. The Governing Committee or a subcommitteehas also promulgated rules specifying the conditions of use for information in student educationrecords, identifying permissible uses and prohibiting unauthorized uses; they have also establishedprocedures for protecting PII when it is in the possession of authorized users and procedures forrecords disposition. Finally, the Governing Committee has also developed a plan of action to beexecuted in the event of a data breach.


13/19NCES 2011-602 13

Provide Public Notice of Education Record Systems

Providing public notice of the existence anduse of a student education record system isanother essential component of a privacy anddata protection program. The Fair InformationPractice ofTransparency calls for providing

notice to the individual regarding the collection,use, dissemination, and maintenance of personallyidentifiable information (NIST 2010 SpecialPublication 800-122, p. D-2, 3).

Annual Notifications

Consistent with the Fair Information Practice oftransparency, FERPA and the related regulationsrequire each educational agency or institutionthat receives funds from the U.S. Departmentof Education to provide all parents or eligiblestudents12 an annual notice of their rights withregards to the existence and use of studenteducation records (20 U.S.C. 1232g(e), 34 CFR99.7). Insofar as some direct student identifiers are

made available publicly as Directory information,FERPA also requires that parents are givenan annual notice of the school or districtsdefinition of student directory information, withthe opportunity to opt out of the inclusion oftheir childs, or the eligible students, directoryinformation (20 U.S.C. 1232g (e), 34 CFR 99.7).

FERPA

Under FERPA and the related regulations, theinstitution, school, or the school district mustprovide parents with annual notification of theirrights13 and the procedures to use to inspect andreview their childrens education records andto seek amendment of inaccurate or misleadinginformation in that record.14 Furthermore,parents must be notified of the disclosures thatare permissible under law without their consent,15and of the fact that they must consent to otherdisclosures of PII from their childrens education

records. Finally, the annual FERPA notice mustdescribe the procedure for a parent to follow infiling a complaint of an alleged violation with theFamily Policy Compliance Office (FPCO) in theU.S. Department of Education.

The annual notification does not have to be madeindividually to parents. Instead, it can be donethrough any of the following: local or studentnewspaper, calendar, student programs guide, ruleshandbook, or other reasonable means.

Directory

A school or district is also required to provide anannual Directory notice, if directory informationis disclosed without consent. The school or districtmay choose to combine their annual FERPAnotification with their annual Directory notice.Directory information includes informationcontained in a students education record thatwould not generally be considered harmful or an

invasion of privacy if disclosed. The Directorynotice must describe the specific types ofinformation the school or district has designatedas directory information, and the parents right toopt out of disclosure of directory information. Inthe case of postsecondary institutions, these rightsaccrue to the student.

PPRA

The Pupil Protection Rights Act requires parentalnotification if a study to be conducted in a schoolincludes any information or questions about thestudent or the students family related to the eight

identified sensitive topics: political affiliations orbeliefs; religious practices, affiliations, or beliefs;mental and psychological problems; sex behavioror attitudes; illegal, anti-social, self-incriminating

12 Eligible students are those age 18 and over or enrolled in postsecondary institutions.

13 These rights transfer to the student when he or she turns 18 years of age or enters a postsecondary educational institution at any age(eligible student).

14 These requirements are consistent with The Fair Information Practices of Individual Participation and Redress, where redress involvesproviding mechanisms for appropriate access, correction, and redress regarding the use of personally identifiable information.

15 This must include a description of who is considered to be a school official and what is considered to be a legitimate educational interest.



and demeaning behavior; critical appraisals offamily members; legally recognized privilegedrelationships; or income.16

If the study is funded by the U.S. Department ofEducation, schools and contractors must obtainwritten parental consent before minor studentscan be required to participate in the study. If theschool received funds from the U.S. Department of

Education, school districts are required to providean annual schedule of the specific or approximatedates of all other surveys with a notification ofthe parents right to request and review a copy ofthe survey before it is administered and to decidethat their child will not participate, regardlessof the surveys source of funding. Under thisAct, parents must also be notified each year oftheir right to decide whether or not their childwill participate in activities that make students

personal information available for marketing orother profit-making activities.17 Parents must alsobe notified of their right to decide whether or nottheir child will participate in any non-emergency,invasive physical examination or screening thatis scheduled in advance and administered by theschool as a required condition of attendance butthat is not necessary to protect the immediatehealth and safety of students.

Under PPRA, schools and contractors are alsorequired to make instructional materials thatwill be used in any of the studies in which theirchildren participate available for the parentsinspection. Planned surveys that include protectedinformation must be made available for theparents inspection prior to the administrationof the survey.

Resources

The FPCO website includes more specific detailsand model FERPA notices to use at the schoolor district level (http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html) and at thepostsecondary institution level (http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials

.html), as well as a model Directory notice(http://www2.ed.gov/policy/gen/guid/fpco/ferpa/mndirectoryinfo.html) and a model PPRA noticesfor use by school districts (http://www2.ed.gov/policy/gen/guid/fpco/ppra/modelnotification.html).

Disclosure of Education Records

The Fair Information Practice ofIndividualParticipation calls for involving the individualin the process of using personally identifiableinformation and seeking individual consent for the

collection, use, dissemination, and maintenance ofpersonally identifiable information. Consistentwith this practice, parents rights to consentto disclosures of PII included in the studentseducation record must be described in the annualFERPA notice (FERPA, 20 U.S.C. 1232g(e), 34 CFR 99.7 and 99.30). To meet thisrequirement, a school must:

Have a parents consent prior to the disclosureof education records; and

Ensure that the consent is signed and dated,

specify the records that may be disclosed,state the purpose of the disclosure, andidentify to whom the disclosure may be made.

The Fair Information Practice ofPurposeSpecification stresses the importance ofspecifically articulating the authority thatpermits the collection of personally identifiable

information and specifically articulating thepurpose or purposes for which the personallyidentifiable information is intended to be used.The annual FERPA notice provides informationabout permissible uses of PII in education records.That is, FERPA allows educational agenciesand institutions to non-consensually releaseeducation records to school officials and otherdesignated entities with legitimate educationalinterests 20 U.S.C. 1232g(b(1)(A), but theFERPA regulations require educational agenciesor institutions that elect to disclose educationrecords to the entities authorized in the Act to use

the annual notice to specify the criteria used foridentifying a school official and the definition of alegitimate educational interest. Specifically,

16 See the earlier section Identify All Personally Identifiable and Sensitive Information for the complete text of the list as specified in law.

17 This does not apply to information collected from students to support educational products or student services such as postsecondaryeducation or military recruitment; book clubs, magazines, and programs providing access to low-cost literacy products; curriculum andinstructional materials; tests and assessments used to provide information about students; the sale by students of products or services to raisefunds for school-related or education-related activities; and student recognition programs.


15/19NCES 2011-602 15

under the FERPA regulations at 34 CFR 99.31,a school may disclose PII from education recordswithout consent when:

The disclosure is to school officials whohave been determined to have legitimateeducational interests;

U The disclosure is to other schoolofficials, including teachers, within

the agency or institution who havelegitimate educational interests; athird-party contractor, consultant,volunteer, or other party to whom anagency or institution has outsourcedinstitutional services for which theagency or institution would otherwiseuse employeesas long as that thirdpartys use and maintenance of educationrecords is under the direct control of theagency or institution and is subject tothe regulation requirements governingthe use and redisclosure of PII fromeducation records (34 CFR 99.33(a));and

U An educational agency or institution usesreasonable methods to ensure that schoolofficials obtain access to only thoseeducation records in which they havelegitimate educational interests (34 CFR 99.31(a)(1));

The disclosure is to officials of another school,district, or institution of postsecondaryeducation where the student seeks or intends

to enroll, or where the student is alreadyenrolled so long as the disclosure is forpurposes related to the students enrollmentor transfer (34 CFR 99.31(a)(2) and99.34);

The disclosure is to authorized representativesof the Comptroller General of the UnitedStates, the Attorney General of the UnitedStates, the Secretary of the Department ofEducation, or state and local educationalauthorities for the purpose of auditing

or evaluating federal or state supportededucation programs or enforcing federal lawswhich relate to those programs (34 CFR 99.31(a)(3) and 99.35);

The disclosure is in connection with financialaid for which the student has appliedor which the student has received if theinformation is necessary for such purposesas to determine eligibility, the amount, the

conditions for the student to apply for orreceive financial aid or enforce the terms andconditions of the aid (34 CFR 99.31(a)(4));

The disclosure is to organizations conductingstudies for, or on behalf of, educationalagencies or institutions for specifiedpurposes related to predictive tests, studentaid programs, or the improvement ofinstruction(34 CFR 99.31(a)(6));

The disclosure is to accrediting organizationsto evaluate accreditation status (34 CFR

99.31(a)(7)); The disclosure is pursuant to a court order

or a lawfully issued subpoena18 (34 CFR 99.31(a)(9));

The disclosure is in connection with a healthor safety emergency (34 CFR 99.31(a)(10)and 99.36);

The information disclosed has beenappropriately designated as directoryinformation by the school (34 CFR 99.31(a)(11) and 99.37); and

The disclosure is of de-identified student leveldata for the purposes of education research(34 CFR 99.31(b)).

The SLDS Technical Brief on data sharingagreements will cover recommended terms forinclusion in agreements, along with a discussionof the specific uses permitted under legitimateeducational interests, education research, and usesrelated to predictive tests, student aid programs,and the improvement of education.

Summary

A privacy and data protection program for student education records must include an array ofrules and procedures for protecting PII held in the record system. It also must include a full setof public disclosures of the existence and uses of the information included in the data system,a description of all parents or eligible students rights to review and appeal the contents of anindividual education record and of their rights and the procedures to appeal a violation.

18 See 34 CFR 99.31 for additional disclosures related to legal matters.



Accountability and Auditing

The Fair Information Practice ofAccountingand Auditingcalls for Auditing for the actualuse of personally identifiable informationto demonstrate compliance with establishedprivacy controls. This involves auditing theuse of PII to demonstrate compliance with anorganizations privacy and data protection plan,

the privacy principles embodied in the FairInformation Practices, and all applicable privacyprotection laws, regulations, and administrativerequirements. The specific activities to be auditedshould be identified in the privacy and data

protection plan. Many elements of a datasecurity audit involve electronic security andwill be discussed in the Brief on that topic.However, there are a several aspects of datastewardship that should be audited to confirmthat required actions are taken to ensure theproper use and protection of PII in student

education records. A failure to comply with anyof the identified auditable elements of the privacyand data protection plan should be reportedto appropriate officials for action.

Audit the Inventory of Personally Identifiable Information

The inventory of PII should include all currentand proposed data elements (NIST, Guide toProtecting the Confidentiality of PersonallyIdentifiable Information (PII), 2010 SpecialPublication 800-122, pg. 2-2). The data manager

should maintain records of the inventory of PII.

In the first data stewardship privacy audit,the inventory should be examined against thecontent of the existing longitudinal data systemto determine whether the list of personallyidentifiable data elements maintained for students,teachers, and other staff members is complete.

Next, the audit should confirm that the inventoryincludes all of the required information for eachdata element. That is, for each data element,the inventory should include an indication ofspecific uses, whether it is a direct or an indirect

identifier and the associated risk level and whetherit involves any of the restricted topics identifiedin the Protection of Pupil Rights Act. Subsequentaudits should identify updates to the record systemthat added new data elements and ensure that eachnew data element was added to the inventory andthat all of the required information is included foreach data element.

Audit of Data Quality and Integrity

FERPA (20 U.S.C. 1232g (a) and the relatedregulations (34 CFR 99) establish the right of

a parent to inspect and review his or her childs(or in the case of an eligible student his or herown) education record for accuracy. The datamanager should develop procedures that resultin data that are up to date and complete andthat accurately reflect the students educationalexperiences. Periodic audits of data quality cansupport data quality by either substantiating thequality of individual data elements or identifyinginaccuracies for correction. Periodic quality auditsshould be built into the data collection, reporting,and release cycle.

The NCES-sponsored National Forum onEducation Statistics published the 2004 reportForum Guide to Building a Culture of DataQuality to assist schools and school districts inthe development of procedures to improve theaccuracy, utility, timeliness, and security of datain education data systems. The Forum web site

also provides lesson plans as part of the ForumCurriculum for Improving Education Data (http://

nces.ed.gov/pubs2007/curriculum/index.asp).The curriculum is designed for use in schoolsand school districts to support the productionof high-quality education data, with the goalof presenting the concepts and skills needed toimprove data quality. One of the lessons includedin the curriculum is Validating and AuditingData (http://nces.ed.gov/pubs2007/curriculum/ls_validating.asp).

The goals of the curriculum on data validationand audits include describing the steps requiredto validate data, describing the purpose of a dataaudit, and identifying the steps included in a dataaudit in order to outline a plan for a data audit.The data validation involves data entry, checkingfor errors, confirming errors are real and notoutliers, identifying each place the incorrect dataelement is stored in the data system, and providingcorrections to the data entry staff.19

19 While these data validation activities have broader utility than those involved with privacy, ensuring the accuracy and validity of datamaintained in an education record system is consistent with the FERPA requirement that parents have the right to review the accuracy otheir childrens information.


17/19NCES 2011-602 17

The audit confirms the accuracy of the data that they are the result of an error. If an error isare released for use by the school and district identified, the source of the error should bestaff and by the public. To conduct a successful investigated (e.g., data recording error, transposedaudit of data accuracy, the first step is to identify number, data entry error), and the neededthe released data (e.g., printed reports, tables correction should be identified. Related procedurespublished on the web, online table generator), are reviewed to identify any needed changes. Staffand then the data should be analyzed, looking who contributed to the error should be notifiedespecially for data anomalies. If suspected data and provided instruction needed to avoid repeatinganomalies are identified, the audit next focuses the error. Finally, notice of the changed data

on whether they represent real change or whether should be provided to all data users.

Audits of Internal Controls used to Protect Personally Identifiable Information

Unique Student Identifiers

Longitudinal student record data requires aunique record identifier for each student in adata system. That unique identifier is neededto link each students electronic record acrossgrade levels and across schools, institutions, andrelated educational programs. Once attachedto a student record, this identifier becomes part

of that students PII, as it must be unique to thestudent to be useful. Thus, the audit of internalcontrols should start with an examination of theprocess used to assign unique student identificationnumbers. The first question is whether uniqueidentification numbers other than the studentsSocial Security Numbers are in place for use inday-to-day operations. If so, the next task is toconfirm that the student identification numbersare not based on the students Social SecurityNumbers; that the students Social SecurityNumbers are securely stored apart from thestudent records that are used daily; that a linking

code exists to be used to link a students record tothat students Social Security Number when theneed arises (e.g., the student transfers out of stateor transitions to postsecondary education); andthat the method for generating the linking keyis closely protected, with knowledge limited to asmall number of staff positions.

The student identification numbers should beaudited to ensure that each student has onlyone identification number. This can be doneelectronically by searching for matching data on

the combination of name, age, grade, sex, andrace/ethnicity. If matches occur, the student recordsshould be examined further to confirm thatthere are not multiple records for an individualstudent. These matches should include optionsfor multiple spellings of names and for the useof initials in addition to, or in place of, the first

name. If any students are found with multiplestudent identification numbers, the records shouldbe consolidated into one record using only one ofthe identification numbers for that student and theduplicate records should be deleted.

Conversely, the student identification numbersshould be examined to confirm that the samenumber is not being used for multiple students.This can be done by electronically searching forexact matches on two or more identificationnumbers. If matches occur, the associated therecords should be examined to confirm whether

the records are for different students or whetherthere are two records for the same student(perhaps with a full first name on one record andinitials in place of the first name of the secondrecord). If one identification number has beenassigned to two or more students, each studentshould be given a new unique identificationnumber. If one identification number is being usedfor two different records for the same student, thetwo records should be reconciled and combinedunder the existing student identification number.

Workforce Security and Permitted Access to Personally Identifiable Information

To ensure that the requirements of FERPA are metand that PII is protected, administrators have aresponsibility to protect access to that informationand to confirm the trustworthiness of employees towhom sensitive student information is entrusted.An audit of workforce security should start with a

review of job descriptions to ensure that the needfor access to PII is clearly specified. Then oncethe positions with a need for access are identified,the audit should review the list of staff membersin those positions against the documentation forcompleted background investigations to ensure



that each staff member with access to personallyidentifiable and sensitive student informationhas successfully passed a background check. Theaudit should review the same list of staff membersagainst the list of staff who completed the requiredprivacy and data protection training and the fileof signed confidentiality pledges (i.e., affidavits ofnondisclosure) to ensure that each staff memberwith access to personally identifiable and sensitive

student information is aware of the relevant laws,regulations, and rules and has agreed to upholdthem to protect student information.

The data manager should also have recordsdocumenting the authorized level of access for

each data user granted access to any personallyidentifiable student information. There should bean access control system in place, and an auditshould be conducted to ensure that each datausers level of access is in line with that personscurrent job description. If discrepancies arefound, the level of access should be corrected, ora justification for the deviation from establishedaccess levels should be documented. In addition,

the current levels of access should be comparedto the approved levels of access. If discrepanciesare found, the level of access should be corrected,or a justification should be provided and the datausers access level should be corrected in the datamanagers records.

Summary

A privacy and data protection program for student education records must include a set of checksand balances to ensure that the necessary rules and procedures are in place and that they are beingfully implemented. This is best done through a formal periodic audit of the various processesinvolved in the processing and usage of personally identifiable student information. Starting withthe careful identification of the personally identifiable and sensitive data elements, continuingthrough the data processing and reporting to the day-to-day usage of student information. Theaudit starts by identifying the relevant governing rules and procedures, examines the records fordeviations from the rules and procedures, and ensures that needed corrections are implemented.Where possible, the audit should identify the factors that contributed to the problems identified,examine the related processes, and make suggestions for procedural changes that might reduce thenumber of similar problems in future audits.

References

American Statistical Association, Committeeon Privacy and Confidentiality, Key Terms/Definitions in Privacy and Confidentiality.Alexandria, VA: Retrieved from http://www.amstat.org/committees/pc/keyterms.html on6/17/2010.

Code of Federal Regulations, Title 34Education,Part 99. Family Educational and Privacy Rights,(34CFR99). Washington, DC: GPO Accesse-CFR. Retrieved from http://ecfr.gpoaccess.gov/cgi/t/text/ext-idx?c=ecfr&sid=44d350c26fb9cba4a156bf805f297c9e&tpl=/ecfrbrowse/Title34/34cfr99_main_02.tpl on 9/10/2010.

The Federal Chief Information Officers Council(2008). Federal Enterprise Architecture Securityand Privacy Profile, Version 2. Washington,DC: Federal Enterprise Architecture ProgramManagement Office, Retrieved from http://www.cio.gov/Documents/Security_and_Privacy_Profile_v2.pdf on 6/17/2010.

National Forum on Education Statistic (2004).Forum Guide to Protecting the Privacy ofStudent Information: State and Local EducationAgencies, (NCES 2004-330). Washington,DC: Retrieved from http://nces.ed.gov/pubs2004/2004330.pdf on 6/17/2010.

National Forum on Education Statistic (2004).Forum Guide to Building a Culture of QualityData: A School & District Resource, (NFES2005-801). Washington, DC: Retrievedfrom http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2005801 on 6/17/2010.

McCallister, E., Grance, T., and Scarfone, K.(2010). Guide to Protecting the Confidentialityof Personally Identifiable Information (PII):Recommendations of the National Instituteof Standards and Technology (NIST SpecialPublication 800-122). National Institute ofStandards and Technology, U.S. Department ofCommerce. Washington, DC: Retrieved fromhttp://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf on 5/4/2010.


19/19

Sweeney, Latanya. (2005). Recommendations toIdentify and Combat Privacy Problems inthe Commonwealth. Testimony on HouseResolution 351, Pennsylvania House SelectCommittee on Information Security.

U.S. Code, Title 20Education, Chapter 31General Provisions Concerning Education,Subchapter IIIGeneral Requirementsand Conditions Concerning Operation and

Administration of Education Programs: GeneralAuthority of Secretary, Part 4Records, Privacy,Limitation on Withholding Federal funds,Section 1232g. Family Educational and PrivacyRights, (20USC1232g). Washington, DC: GPOAccess. Retrieved from http://frwebgate4.access.gpo.gov/cgi-bin/TEXTgate.cgi?WAISdocID=799486197532+0+1+0&WAISaction=retrieve on9/10/2010.

U.S. Code, Title 20Education, Chapter70Strengthening and Improvement ofElementary and Secondary Schools, SubchapterIImproving the Academic Achievement of

the Disadvantaged, Part AImproving BasicPrograms Operated by Local EducationalAgencies, Subpart 1Basic ProgramRequirements, Section 6311. State Plans,(20USC6311). Washington, DC: GPO Access.Retrieved from http://frwebgate2.access.gpo.gov/cgi-bin/TEXTgate.cgi?WAISdocID=bULwJH/21/1/0&WAISaction=retrieve on 9/10/2010.

U.S. Code, Title 20Education, Chapter 76Education Research, Statistics, Evaluation,Information, and Dissemination, SubchapterIEducation Sciences Reform, Section 9547.Cooperative Education Statistics Systems,

(20USC9547). Washington, DC: GPO Access.Retrieved from http://frwebgate.access.gpo.gov/cgi-bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc20.wais&start=10271732&SIZE=977&TYPE=TEXT on 9/10/2010.

U.S. Code, Title 20Education, Chapter 76Education Research, Statistics, Evaluation,Information, and Dissemination, SubchapterIIEducational Technical Assistance,Section 9607. Grant Program for Statewide,Longitudinal Data Systems, (20USC9607).Washington, DC: GPO Access. Retrievedfrom http://frwebgate3.access.gpo.gov/cgi-bin/TEXTgate.cgi?WAISdocID=FKr6BA/0/1/0&WAISaction=retrieve on 9/10/2010.

U.S. Department of Commerce, National Instituteof Standards and Technology (2010). Guideto Protecting the Confidentiality of PersonallyIdentifiable Information (PII), (SP 800-122).Gaithersburg, MD.

U.S. Department of Health and Human Services,Report of the HEW Secretarys AdvisoryCommittee on Automated Personal DataSystems (1973). Records, Computers and theRights of Citizens, Washington, DC: Retrievedfrom http://aspe.hhs.gov/datacncl/1973privacy/tocprefacemembers.htm on 5/11/2010.

U.S. Department of Homeland Security, PrivacyPolicy Guidance Memorandum (2008). The FairInformation Practice Principles: Framework forPrivacy Policy at the Department of HomelandSecurity, Washington, DC: Retrieved fromhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf on 6/17/2010.

U.S. Public Law, 110-69, America CompetesAct, Title VIEducation, Section 6401.Washington, DC: GPO Access. Retrievedfrom http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_public_laws&docid=f:publ069.110 on 9/10/2010.

U.S. Public Law, 111-5, American Recovery andReinvestment Act, Title VIIIEducation,Institute of Education Sciences. Washington,DC: GPO Access. Retrieved from http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_public_laws&docid=f:publ005.111 on 9/10/2010.