1. SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records NCES Publication # 2011-601 http://nces.ed.gov/pubs2011/2011601.pdf http://nces.ed.gov/pubs2011/2011601.pdf Marilyn Seastrom, NCES Baron Rodriguez, AEM Tom Szuba, QIP American Educational Research Association (AERA) April 9, 2011

2. Background: NCES The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations. NCES is located within the U.S. Department of Education and the Institute of Education Sciences. http://nces.ed.gov 2

3. Background: SLDS The Statewide Longitudinal Data Systems (SLDS) Grant Program is designed to aid state education agencies in developing and implementing longitudinal data systems. The data systems developed with these grants are intended to help states, districts, schools, and teachers make data-driven decisions to improve student learning, as well as facilitate research to increase student achievement and close achievement gaps. The focus of the grant program has evolved over the four rounds of SLDS awards (2006-2010), with early emphasis on K-12 systems expanding to more holistic P-20-WF (pre-kindergarten through workforce). http://nces.ed.gov/programs/slds 3 74 grants to 41 states and DC. Total awards of $514 million. 74 grants to 41 states and DC. Total awards of $514 million.

4. The SLDS Technical Briefs This series of SLDS Technical Briefs focuses on privacy, confidentiality, and security considerations related to data in student record systems, especially longitudinal data systems. The briefs are intended to inform practitioners responsible for the development, maintenance, protection, or use of student record data. Author: Marilyn Seastrom, Chief Statistician and Acting Deputy Commissioner, NCES NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to SLDStechbrief@ed.gov. SLDStechbrief@ed.gov 4

5. The SLDS Technical Briefs 1. Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records 2. Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records 3. Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting 5 Now AVAILABLE at http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx

6. The SLDS Technical Briefs 4. Data Access for External Researchers 5. Electronic Data Security, Protecting PII, and Electronic Student Education Records 6. Privacy Training: Increasing Awareness of Protections for PII in Student Education Records 6 To be released later in 2011.

7. The SLDS Technical Briefs SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records Discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records in the Statewide Longitudinal Data Systems (SLDS). This Brief also outlines a privacy framework that is tied to Fair Information Practice Principles that have been promulgated in both the United States and international privacy work. 7

8. Presentation Topics SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records Personally Identifiable Information (PII) Family Educational Rights and Privacy Act (FERPA) Directory Information Privacy Confidentiality Disclosure (Authorized, Unauthorized, and Inadvertent) De-Identified Data Techniques for Protecting Student Level Data Techniques for Protecting Aggregate Data Anonymized Data Data Stewardship Fair Information Practices 8 Privacy Resources from USED  Technical Briefs  PTAC  FERPA - NPRM

9. Personally Identifiable Information Personally Identifiable Information (PII) Central to all discussions about privacy and confidentiality Refers to information that can be used to distinguish or trace an individual’s identity Includes elements such as name, Social Security Number, biometric records, etc. (alone)… … or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date of birth, place of birth, mother’s maiden name, etc. OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information 9

10. FERPA: Family Educational Rights and Privacy Act Family Educational Rights and Privacy Act (FERPA) A Federal law that protects the privacy of student education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules. Affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. FERPA generally requires written consent from parents before an education agency can disclose a student’s personally identifiable information to individuals or entities not approved under law. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student. 20 U.S.C. § 1232g; 34 CFR Part 99 10

11. FERPA: Family Educational Rights and Privacy Act What organizations are subject to FERPA? FERPA applies to any educational agency or institution to which funds have been made available under any program administered by the Secretary of Education. Family Educational Rights and Privacy Act Regulations, 34 CFR §99.1, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf 11

12. FERPA: Personally Identifiable Information Personally identifiable information, as defined in FERPA, includes, but is not limited to: Student’s name Name of student’s parent or other family members Address of student or family Personal identifiers (e.g., SSN, student number, biometric record) Other indirect identifiers (e.g., place of birth, mother’s maiden name) Other information linkable to student Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates 12

13. Directory Information FERPA allows the public release of some personally identifiable student information as school directory information “Information that would not generally be considered harmful or an invasion of privacy if disclosed.” Public notice must be provided. Parent or the eligible student must be given right to refuse to have any or all of the student’s information released as directory information. 13

14. Directory Information Student’s name Address Telephone listing Email address Photograph Date and place of birth Major field of study Grade level Enrollment status Dates of attendance Participation in activities and sports Weight and height of members of athletic teams Degrees, honors and awards received Most recent educational agency or institution attended 14

15. Privacy Defined Privacy relates to individual autonomy and each person’s control over their own information. This includes each person’s right to decide: when and whether to share personal information how much information to share the circumstances under which information can be shared 15

16. Privacy Defined: FERPA Under FERPA, privacy pertains to the rights of parents and eligible students to: inspect and review the students’ education records seek to amend education records consent to the release of personally identifiable information refuse to have personally identifiable information that is designated as directory information publicly released 16

17. Confidentiality Defined Confidentiality relates to the management of another individual’s personally identifiable information. Refers to the obligations of those who receive personal information about an individual to respect the individual’s privacy by safeguarding the information “An important distinction is that privacy pertains to individuals; confidentiality to their information.” (National Academy of Science 2009 Workshop Protecting Student Privacy and Facilitating Education Research, p. 4) 17

18. Disclosures of Confidential Information Under FERPA, disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means including oral, written, or electronic, to any party except the party identified or the party that provided or created the record. 18

19. Disclosures of Confidential Information Authorized: FERPA authorizes or permits specific users and uses of personally identifiable information in student education records without the written consent of the parent or eligible student. Unauthorized: personally identifiable information from a student’s education record is made available to a third party who does not have legal authority to access the information. Inadvertent: information is unintentionally revealed through information released to the public. 19

20. Authorized Disclosures Other school officials who have legitimate educational interests Officials of school system or institution where student seeks to enroll In connection with financial aid Accrediting organizations In connection with health or safety emergency Parents of dependent students Information designated as directory information 20

21. Authorized Disclosures (cont.) Parent of student under age 18 (not enrolled in postsecondary institution) Eligible student (age 18 or enrolled in postsecondary education) State and local officials or authorities (under state statute) Organizations conducting approved studies Authorized representatives of the Comptroller General; Attorney General; U.S. Department of Education 21

22. Statistical Reports Using Confidential Information It is not a disclosure or a violation of the confidentiality of the information in the data when personal information is combined to produce a statistical report (for example, number of students) However, even with statistical reports, care must be taken to avoid inadvertent disclosures See Technical Brief #3: Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting 22 [In thousands] YearTotal Race/ethnicity WhiteBlackHispanic Asian / Pacific Islander Ameri can Indian/ Alaska Native Actual 199412,215 8,2131,9491,445475130 199512,502 8,3442,0031,520498135 199612,849 8,5292,0431,608526141 199713,056 8,6152,0681,674552145 199813,195 8,6692,0731,732572148 199913,371 8,7192,1061,808587151 200013,517 8,7502,1191,894601153 200113,736 8,7772,1732,008619158 200214,069 8,8542,2572,148642168 200314,339 8,8842,3342,282663177 200414,618 8,9202,4082,427686178 200514,909 8,9542,4902,570709186 200615,081 8,9382,5402,701720181 200715,087 8,7752,5682,824737183

23. Can you identify the PII? 23 Technical Brief #3: Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting

24. De-Identification of Data De-identified: records have enough personally identifiable information removed or obscured such that: the remaining information does not identify an individual there is no reasonable basis to believe that the information can be used to identify an individual For researchers, a re-identification code can relate data back to individual student records. 24

25. De-Identification of Data FERPA 2008 regulations allow for the nonconsensual release of student level information if: all personally identifiable information is removed there is a reasonable determination that a student’s identity is not distinguishable Both single and multiple data releases should be taken into account 25

26. Techniques to Protect Student Level Data Generalizing Suppressing Introducing “noise” Swapping Blanking and imputing Blurring 26

27. Techniques to Protect Aggregate Data Minimum cell sizes Suppression Random or controlled rounding Controlled tabular adjustment Special rules Careful use of re-identification codes 27

28. Anonymization of Data Anonymized: data that have been de-identified and do not include a re-identification code. The student case numbers in the data records cannot be linked back to the original student record system. Differentiating anonymized data from de-identified data. 28

29. Data Stewardship Data stewardship is the responsibility to: “… ensure that identifiable information is collected, maintained, used, and disseminated in a way that respects privacy, ensures confidentiality and security, reduces reporting burden, and promotes access to statistical data for public policy.” U.S. Census Bureau and the American Statistical Association’s Committee on Privacy and Confidentiality 29

30. Data Stewardship Maintaining personally identifiable information in student education records carries legal and ethical responsibilities: protecting the information ensuring the proper handling and use of the information These elements of data stewardship are enacted in the various federal privacy and confidentiality laws that govern the use of personally identifiable information. 30

31. Five Principles of 1973 Fair Information Practices 1) There must be no personal data record keeping systems whose very existence is secret. 2) There must be a way for an individual to find out what information about him or her is in a record and how it is used. 3) There must be a way for an individual to prevent information about him that was obtained for one use from being used or made available for other purposes without his consent. 4) There must be a way for an individual to correct or amend a record of identifiable information about him. 5) Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for the intended use and must prevent misuse of the data. 31

32. Contemporary Fair Information Practice Principles Transparency Individual participation and redress Purpose specification Data minimization and retention Use limitation Data quality and integrity Security Accounting and auditing 32 The Department of Homeland Security and Chief Information Officer Fair Information Practice Principles include:

33. 33 The U.S. Department of Education has announced a series of initiatives to safeguard student privacy while clarifying that states have the flexibility to share school data that are necessary to judge the effectiveness of government investments in education. Chief Privacy Officer Technical Briefs Featuring Best Practices Privacy Technical Assistance Center (PTAC) FERPA Clarification (NPRM) Privacy, Security, and the U.S. Department of Education

34. What is PTAC? The Privacy Technical Assistance Center at USED… A “one-stop” shop for technical assistance related to best practices on privacy and data security Provides stakeholders with: A set of tools, resources, and other opportunities to receive assistance with privacy, security, and confidentiality of longitudinal data systems. A means for stakeholders to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality. A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment. A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information. 34

35. PTAC Resources 35 "Privacy Toolkit” including Issue Briefs, Security Checklists, FAQs Technical Assistance Site Visits Training Materials, including Webinars Support Center Regional meetings

36. FERPA - NPRM Overview On April 7, 2011, the U.S. Department Education released a Notice of Proposed Rule Making (NPRM) under the Family Educational Rights and Privacy Act (FERPA). The proposed regulations would give states the flexibility to share data to ensure that taxpayer funds are invested wisely in effective programs, as well as increase accountability for institutions that handle FERPA protected records. Under the Department's proposal: Enforcement provisions of FERPA would be strengthened to ensure that every entity working with personally identifiable information from student education records is using it for authorized purposes only. Schools will be able to implement directory information policies that limit access to student records, preventing marketers or criminals from accessing the data. States can enter into research agreements on behalf of their districts to measure the success of programs, such as early childhood programs that effectively prepare kids for kindergarten. High school administrators can share information on student achievement to track how their graduates perform academically in college. 36

37. About the NPRM Process Q) What is an NPRM? A) A Notice of Proposed Rulemaking (NPRM) is a public notice issued by law when a Federal agency wishes to add, remove, or change a rule or regulation as part of the rulemaking process. The proposed rule, or NPRM, is the official document that announces and explains the agency's plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis of the final rule. Q) What is the process for the changes proposed in the NPRM to become final? A) The NPRM is published in the Federal Register to solicit public comments on the proposed rule; it is not final policy during this stage of the process. Depending on the content of the public comments, the Department may decide to either proceed with finalizing the proposed rule or terminate the rulemaking process. If the Department decides to proceed with finalizing the rule, the final rule and the Department’s response to the public comments are published in the Federal Register. The final rule will specify when the new regulation will take effect (typically no earlier than 30 days after publication). 37

38. Important Next Steps – FERPA NPRM Q) How and when can the public view and comment on the NPRM? A) The NPRM is published in the Federal Register at http://www.gpoaccess.gov/fr/ http://www.gpoaccess.gov/fr/ The full NPRM can also be found at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ ferpa-nprm-april-2011.pdf http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ ferpa-nprm-april-2011.pdf Additional resources, including a press release and “Safeguarding Student Privacy” handout, are available at http://www.ed.gov/fpcohttp://www.ed.gov/fpco 38

39. Public Comments The U.S. Department of Education welcomes your feedback on proposed amendments in the NPRM and encourages the public to comment at www.regulations.gov www.regulations.gov by the May 23rd deadline 39

40. For more information… Website http://nces.ed.gov/programs/PTAC/ Help Desk PrivacyTA@ed.gov Toll Free Phone: 855-249-3072 Toll Free FAX: 855-249-3073 NCES Emily.Anthony@ed.gov Technical Briefs: Marilyn Seastrom, NCES Marilyn.Seastrom@ed.gov Marilyn.Seastrom@ed.gov 40

41. Feedback NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to SLDStechbrief@ed.gov. SLDStechbrief@ed.gov The U.S. Department of Education welcomes feedback on proposed amendments in the FERPA NPRM and encourages the public to comment at www.regulations.gov by the May 23rd deadline.www.regulations.gov 41

42. SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records NCES Publication #2011-601 http://nces.ed.gov/pubs2011/2011601.pdf http://nces.ed.gov/pubs2011/2011601.pdf Marilyn Seastrom, NCES Baron Rodriguez, AEM Tom Szuba, QIP tomszuba@qi-partners.com tomszuba@qi-partners.com Thank You for Participating