The Center for IDEA Early Childhood Data Systems Lessons Learned from Developing Data Sharing Agreements Baron Rodriguez, DaSy Center Sharon Walsh, DaSy Center Jill Singer, NC Part C Nicholas Ortiz, CO Dept. of Education September 21, 2015

2 Agenda Objectives Mapping Process Data Sharing Agreements – requirements and best practices State experiences Resources

3 Objectives Participants will have an improved understanding of: –Requirements related to data sharing agreements –Common challenges and pitfalls in developing data sharing agreements –Effective strategies and best practices for developing agreements –DaSy and PTAC resources on data sharing agreements

4 Some Questions for You

5 Before you start, map! Why? Understanding data flows/sources/elements helps determine which laws apply: –Privacy Protections –Security Requirements –Breach Notification Requirements –Consent Requirements Gives you a better understanding of your data systems and assists you with internal & external communications

6 High Level Mapping Steps

7 Data Mapping: Key Steps Identify the key policy questions Identify data types/elements needed to answer those questions Do you have multi-agency governance? –Yes=Document the process; –No=institute multi-agency governance Agencies involved? What level of data is needed at the input AND output level?

8 Data Mapping: Key Steps Review applicable state, federal, & local laws. –Current/pending privacy bills? Impact? –Compliance is the bar, not the ceiling.. You may want MORE stringent controls. Review current privacy policies in EACH agency involved with data integration. –Alignment with applicable laws above? –Do policies meet multi-agency governance needs of LINKED data?

9 Mapping Process… Map data flow in a visual format –Where information resides (agency/system), where it will go, and what the output (aggregate, PII, de-identified) of the combined data will be? Verify governance covers all data sets and actors –Ownership of input data –Ownership of LINKED data –Accountability –Collection

10 Mapping Process… Verify data sharing agreements needed and/or in place currently –Look at visual data flows/agencies involved to determine which laws/FERPA exception applies. Workforce: Definition (state) of a public official? Audit/Evaluation Exception: Determination of “Education Program” Audit/Evaluation Exception: Designating an “Authorized Representative” –Best practices for Data Sharing Agreements

11 What Is a Data Sharing Agreement? Can be called many different names: MOU, MOA, Contract, Written Agreement, etc. The mandatory elements of the agreement vary slightly between the two exceptions The data sharing checklist delineates the minimum requirements under the Studies and the Audit or Evaluation exceptions

12 Approaches to Data Sharing Agreements Master data sharing agreement across all early childhood partners with addendums for each request based on the type of exception No master data sharing agreement across all early childhood partners, only individual agreements for each request

13 Why Are Data Sharing Agreements Needed? They are now required when sharing under either the Audit/Evaluation exception or Studies exception Even under the School Official exception, it is a best practice to have an agreement in place

14 When Does FERPA Apply to EC Organizations? Child Data Federally funded Child record with PII and health data: FERPA applies. Health-record only. HIPPA may apply. NOT federally funded? Not FERPA protected. HIPAA may apply.

15 Key Points to Remember Properly de-identified data can be shared without any FERPA considerations and should be your FIRST option as it limits the risk of unauthorized PII disclosure In most cases, consent is the best approach for sharing PII with non-profit organizations Directory Information is often misunderstood. Opt-out provisions do not prevent data from being shared under the Audit/Evaluation or School Official exceptions

16 Data Sharing = Disclosure Remember: There is no “data sharing” or “research” clause in FERPA; rather, sharing of student PII is considered “disclosure” under FERPA and is only allowable under specific circumstances.

17 FERPA’s Audit or Evaluation Exception A state or local educational authority may designate a third party as their “authorized representative” and then disclose PII from education records to them for the purposes of conducting an audit or evaluation of a federal or state-supported education program.

18 FERPA’s Audit or Evaluation Exception - Requirements Disclosing entity must be a state or local educational authority Must be for the evaluation of a federal or state- supported education program Must use a written agreement to designate the recipient as the authorized representative The written agreement must include a number of required elements (see “Guidance on Reasonable Methods and Written Agreements”)

19 FERPA’s Audit or Evaluation Exception - Requirements The recipient must: Comply with the terms of the written agreement; Use the PII only for the authorized purpose; Protect the PII from further disclosure or other uses; and Destroy the PII when no longer needed for the evaluation.

20 School Official Exception Schools or LEAs can use the School Official exception under FERPA to disclose education records to a third party only if the outside party: Performs a service/function for the school/district for which the educational organization would otherwise use its own employees Is under the direct control of the organization with regard to the use/maintenance of the education records

21 School Official Exception Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA Does not re-disclose or use education data for unauthorized purposes

22 Written Agreements: Studies Exception Written agreements must –Specify the purpose, scope, and duration of the study and the information to be disclosed, and –Require the organization to use PII only to meet the purpose(s) of the study limit access to PII to those with legitimate interests destroy PII upon completion of the study and specify the time period in which the information must be destroyed

23 Studies Exception Studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions Studies must be for the purpose of –Developing, validating, or administering predictive tests; or –Administering student aid programs; or –Improving instruction. § 99.31

24 Note on the Studies Exception The "Audit/Evaluation” exception in 34 CFR §§99.31(a)(3) and is the most appropriate exception under IDEA and FERPA for data sharing arrangements for the IDEA early childhood community. In the very limited instance in which IDEA Part C or IDEA Part B section 619 agencies or programs propose to consider using the “Studies” exception under FERPA, such agencies and programs will want to consult with the Department’s Office of Special Education Programs (OSEP) and Family Policy Compliance Office (FPCO) regarding how the proposed data sharing would meet the requirements in 34 CFR §§99.31(a)(6) and (for IDEA Part C) and 34 CFR §§99.31(a)(6) and (for IDEA Part B Section 619).

25 Remember: Use the Appropriate FERPA Exception Schools/LEAs: IT contractors must meet criteria under the School Official exception discussed earlier. SEAs: Cannot use the School Official exception; therefore, must designate IT service providers as “authorized representatives ” under the Audit/Evaluation exception.

26 Audit or Evaluation Federal, State, and local officials listed under § 99.31(a)(3), or their authorized representative, may have access to education records only – –in connection with an audit or evaluation of Federal or State supported education programs, or –for the enforcement of or compliance with Federal legal requirements which relate to those programs. The information must be: –protected in a manner that does not permit disclosure of PII to anyone; and –destroyed when no longer needed for the purposes listed above.

27 Any entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct — with respect to Federal- or State-supported education programs — –any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs Who Is an Authorized Representative?

28 What Are Written Agreements? Mandatory for LEA or SEA disclosing PII without consent under audit/evaluation Mandatory for school or LEA for disclosing to outside organization under the studies exception, or for SEA redisclosing for, or on behalf of, school or LEA

29 Reasonable Methods In disclosing to a designated authorized representative under audit/evaluation exception, LEA must ensure to the greatest extent practicable that an authorized representative –Uses PII only to carry out an audit or evaluation of education programs, or for the enforcement of or compliance with, Federal legal requirements related to these programs –Protects the PII from further disclosures or any unauthorized use –Destroys the PII records when no longer needed for the audit, evaluation, or enforcement or compliance activity §

30 As you begin... Understand the structure of your agencies, where the data currently resides and how the data flows (data mapping) Understand privacy considerations, particularly FERPA –What exception(s) applies? –Is there an MOU in place to share these data? –Does it address necessary data elements? –Aggregate and de-identified data Decide on the approach for sharing data –Master data sharing agreement with addendum –No master data sharing agreement, only individual agreement Decide on which exception is needed based on agreement type

31 How to Make the Decision Let’s look at the checklist Share DataTechnical sharing Master Data Sharing Agreement Specific Use for Sharing Studies Exception Audit and Eval. Exception

32 Commonalities All agreements should have a specified purpose for the agreement All agreements should have the identified data that will be shared All agreements should discuss destruction of data All agreements should discus the consequences of not following the agreement When using exceptions the agreement should always have information about how the data will be used (not applicable for a master data sharing agreement as this will be captured in the addendum)

33 Differences There are more differences than commonalities as is the nature of these agreements: Master AgreementsStudies ExceptionAudit or Evaluation Exception Focuses on the linkage and storage of data across entities Discusses where the data will reside and who owns it Very specific purpose Specific purpose Much more detail about the identification, use and destruction of PII

34 State Experiences: Lessons Learned North Carolina Colorado

North Carolina, Jill Singer

NC Early Childhood Integrated Data System (NCIDS ) A project and major goal of the NC RTT – Early Learning Challenge Grant A data system that: –integrates early childhood education, health, and social service information from key participating state agencies and –is focused on all children receiving state and federal services from NC participating agencies ages 0-5.

37

38 Key Participating Agencies NC Department of Health and Human Services (DHHS) –NC Division of Child Development and Early Education (DCDEE) –NC Division of Public Health (DPH) –NC Division of Social Services (DSS) NC Department of Public Instruction (DPI) Head Start Smart Start & The North Carolina Partnership for Children (NCPC)

39 Agency Memorandum of Agreement NC ECIDS has an agency-level Memorandum of Agreement (MOA) which outlines the data sharing agreement between the key participating agencies (KPA) Each KPA has appendices to the MOA that outline the programs and specific data elements to be included in NC ECIDS.

40 SUCCESSES CHALLENGES LESSONS LEARNED

41 Strategic Planning Anticipate Time and Investment Engage Stakeholders Continuous Feedback

42 Governance Council Research Panel External Stakeholders Panel

43 Collaboration, Coordination, Communication Adapt any existing agreements Make data sharing sustainable and equitable Utilize available resources (State Dept., PTAC, etc.)

Colorado, Nicholas Ortiz

45 Types of Agreements (In My World) SEA agreements with researchers Guidance for local education agencies Agreements with other state agencies Format: Overarching agreement with appendix for each use case Early Childhood Participation Project Part C/EI Part B/619 Colorado Preschool Program Head Start/Early Head Start Results Matter (Early Childhood Assessment)

46 Successes Challenges Use existing tools –Checklists –Review Boards –SEA Policies –State Law Help parties understand: they can define terms of the agreement, too! Communication and Messaging Evolving Data Privacy Policies Data Sharing Myths

47 Other Lessons Be humble. Be patient. Don’t underestimate how long it can take! Demonstrate value Create a clear process for data requests Consider other agencies’ governance processes Avoid sharing children’s names wherever possible

48 Successful data sharing agreements need: Strong Partnerships with Clear CommunicationA Clear ProcessWell-Developed Content Adapted from “Data Sharing: Creating Agreements. In Support of Community-Academic Partnerships” (2012). Paige Backlund Jarquín, MPH, University of Colorado.

49

50 Resources DaSy Center Privacy and Confidentiality at – confidentiality/ confidentiality/ PTAC Early Childhood Data Privacy –

51 DaSy Center Visit the DaSy website at: Like us on Facebook: Follow us

52 The contents of this presentation were developed under a grant from the U.S. Department of Education, # H373Z However, those contents do not necessarily represent the policy of the U.S. Department of Education, and you should not assume endorsement by the Federal Government. Project Officers, Meredith Miceli and Richelle Davis.