Protecting Student Records and Facilitating Education Research: A Workshop Summary (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

2 Balancing Privacy, Confidentiality, and Access at the U.S. Department of Education This chapter illuminates tensions between the privacy and confiden- tiality goals of the Family Educational Rights and Privacy Act (FERPA) and the goal, included in the No Child Left Behind Act, of using educa- tion data for research and accountability. The first section describes the Department of Education’s current approach to implementing FERPA as it affects data access for research, as well as its proposed new FERPA rules. The second section discusses a Department of Education initiative to assemble and publicly report state educational achievement data and the challenges of doing so while protecting privacy and confidentiality. The final section sketches a successful approach to providing research access while protecting privacy and confidentiality, used in the department’s own National Center for Education Statistics. CURRENT INTERPRETATION AND PROPOSED NEW REGULATIONS Ellen Campbell (U.S. Department of Education) provided an over- view of the law and regulations (U.S. Code, Title 20, Chapter 31, Section 1232g). FERPA directs schools and higher education institutions to protect the rights of parents and students (age 18 or entering college) to inspect and review education records, to seek to amend education records, and to consent to disclosure of personally identifiable information from educa- tion records. The law applies to education agencies that receive funding from the department, including public elementary and secondary schools,  

10 PROTECTING STUDENT RECORDS some private elementary and secondary schools, and public or private institutions of higher education. FERPA provisions apply to a wide vari- ety of education records, including medical records maintained by school health professionals. Provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191), as well as FERPA regulations, clarify that school medical records protected by FERPA are not governed by HIPAA. FERPA defines “personally identifiable information” to include not only the student’s name and the name of the student’s parent or other family member and address of the student or student’s family, but also a personal identifier, such as a social security number or student number or a list of personal characteristics or other information that would make the student’s identity easily traceable. Although one of the primary rights of parents and students protected by FERPA is to consent to disclosure of personally identifiable information, such consent is not required under certain exceptions. Two of these exceptions are sometimes applied in deci- sions granting access to education records for research purposes: •  isclosure to federal, state, and local educational authorities con- D ducting an audit, evaluation, or enforcement of education programs (U.S. Code, Title 20, Chapter 31, Section 1232g, Subsection b). •  isclosure to “organizations conducting studies for, or on behalf of, D educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction” (Ibid). The law requires a school or higher education institution to maintain a record of each request for access to and each disclosure of an education record. In addition, when disclosing information from education records, the school should inform the receiving party that the information may not be further disclosed (with some exceptions). Campbell said that the Department of Education expects that its pro- posed new FERPA regulations (U.S. Department of Education, 2008a) will improve access to education data for research and accountability purposes. The new rules would make it easier for state and local educa- tion agencies to redisclose information to each other, such as when a state department of education discloses student K-12 education records to a state higher education commission in order to track individual student achievement over time. The proposed rules would also update and clarify the definition of personally identifiable information and provide stan- dards for removing all personally identifiable information from education data, as necessary or appropriate to release the information as deidenti- fied data. A state education agency’s release of properly deidentified data 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 11 (meeting these standards) to an outside researcher would not constitute a disclosure requiring prior informed consent. In addition, the regulations would permit a state education database or education agency to attach a code to properly deidentified information that allows an education researcher to match information received from the same source. Finally, the proposed rule provides new information and recommendations for safeguarding records contained in electronic data systems. Steven Winnick (Nelson Mullins Riley & Scarborough) argued that, despite some improvements in the proposed rules, FERPA continues to present significant barriers to the use of state data systems to improve public education. He noted that both federal and state policies call for using these data systems to advance standards-based education reform and that the department’s Institute of Education Sciences had awarded $50 million to the states in fiscal year 2008 to develop and maintain these data systems. Winnick explained that he works closely with the Data Quality Cam- paign, a national, collaborative effort to encourage states to compile lon- gitudinal databases of education information (National Center for Edu- cational Achievement, 2008). Its goal is not to water down the protections of FERPA, but to facilitate use of education records for research and accountability purposes. The major challenge to advancing this goal, in his view, is that FERPA has been interpreted to lodge virtually all control of student data in individual schools and institutions of higher education. The department’s regulations state that FERPA covers local education agencies, including public schools and higher education institutions, but not state education agencies. Echoing Campbell, Winnick said that FERPA prohibits these agencies and institutions from disclosing personally identifiable education records without written parental consent, unless the disclosure is covered by a list of exceptions. He observed that “education records” have been very broadly defined to include records, files, and other materials directly related to a student and maintained by an education agency. For example, a case that challenged students’ peer review and editing of other students’ papers went all the way to the Supreme Court, which ruled that these papers were not education records under FERPA. FERPA directs the Department of Education to seek voluntary compli- ance before imposing the sanction of cutting off federal funds—a sanction   Currently, FERPA applies to “an educational agency or institution to which funds have been made available under any program administered by the Secretary if (1) The educational institution provides educational services or instruction, or both, to students; Or (2) The educational agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions” (U.S. Code, Chapter 34, Section 99.1). 

12 PROTECTING STUDENT RECORDS to be applied only if the school or school district establishes a policy or practice of making unauthorized disclosures of education records. A 2002 Supreme Court decision clarified that parents and others may not sue a school or local education agency for alleged violations of FERPA. Winnick said that, although the Department of Education has never imposed this sanction, the law has had a “significant chilling effect” on the develop- ment of robust state education data systems. He said it is clearly permis- sible to disclose deidentified data, not traceable to individual students, from state longitudinal data systems. In addition, FERPA does not pro- hibit creating a state data warehouse, obtaining personally identifiable information from student education records, or using these data to evalu- ate schools, districts, postsecondary institutions, and programs, including making accountability determinations. State education agency employees and contractors engaged by the state may review and analyze personally identifiable information for these purposes. Winnick agreed with Campbell that parental consent is not required if a school or local education agency discloses personally identifiable education information to organizations that will conduct research stud- ies for or on their behalf to improve instruction. However, he said, it is unclear what “for, or on behalf of,” means and whether a state education data system may authorize such studies. The proposed new regulations do not appear to authorize state education agencies to redisclose data for studies, and, if such authorization were provided, would continue to make such redisclosure subject to the current requirement that a school or local education agency record each disclosure or redisclosure. Winnick asked whether this would mean that the state data system must obtain permission from the school or local education agency, either at the time of redisclosure or at the time when the state first obtains the data (disclo- sure from the local education agency to the state). He suggested that the proposed regulations be revised to permit recordation of the disclosure by state education officials at the time they make a redisclosure. Campbell responded that the reason for recording a disclosure is so that a parent or student would know who is seeing their records, and that this was an important issue when FERPA was first implemented. She said that, even if the state were authorized to record the disclosure, a copy of that record would have to be in the school, where the student or parent could see it. Winnick agreed but said that parental requests to see these records of disclosures were infrequent. He suggested that, if there is a parental request, that request be forwarded by the school to the state,   Campbell agreed that the sanction has never been imposed, explaining that the local education agencies have responded to threats of funding cutoffs by coming into compliance with FERPA. 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 13 so that, when the state authorizes a redisclosure, the state will send that information back to the school. He also said it might not be very difficult, because most the information could be exchanged electronically. Campbell said that it was unclear how frequently parents were requesting records of disclosures, because the department heard of such requests only when the school or school district denied access and parents complained to the department. Winnick did not disagree but said the department’s own cost-benefit analysis of the proposed regulations includes low estimates of the number of parental requests for records of disclosures. Winnick said the proposed regulations would provide a needed change in the Department of Education’s interpretation of the FERPA authorization for release of data for studies “for, or on behalf of,” edu- cation agencies and institutions. Although the current interpretation excludes studies initiated by a research organization, the proposed new rule would authorize release of data if there is an agreement between the education agency or institution and the organization performing the study. However, he indicated that the proposed regulation does not pro- vide for state education authorities to enter these research agreements, thus undermining a key purpose for the state education data systems. Winnick pointed out that the Department of Education’s own National Center for Education Statistics, which is subject to the same FERPA provi- sions as state data systems, has a long-standing practice of entering licens- ing agreements with third-party research organizations to use student data for research studies. Winnick welcomed provisions in the proposed regulations that would increase the ability of different state agencies to share education records, which he said would aid creation of data systems that link student data across levels of education, from prekindergarten through postsecondary education. These linked data systems, he said, would be useful for con- tinuous improvement and alignment, to track individual students, and for evaluation and accountability. The proposed regulations would—if they increased the states’ authority to record disclosures and enter into studies—provide adequate flexibility in this area, according to Winnick. In closing, Winnick argued that his proposals would not raise fun- damental privacy concerns, because three things would not change: (1) who may receive a disclosure of personally identifiable information, (2) the purposes for which the information may be received, or (3) the fact that the state is maintaining this information. The only real issue, he said, is whether the state—as well as a local agency or individual school—may control the decision and the process to authorize research studies and to disclose data for such studies (and record the disclosure). He concluded that FERPA needs to be reinterpreted, or possibly amended, to harmonize state and federal education policies, rather than to thwart core purposes 

14 PROTECTING STUDENT RECORDS of state education data systems. Without further changes, he argued, FERPA would frustrate use of state-level, personally identifiable student data for research conducted by organizations other than the state educa- tion agency. In the discussion that followed Campbell’s presentation, Marilyn Seastrom (National Center for Education Statistics) explained that one impetus for the proposed new regulations was to address the states’ uncer- tainty about the meaning of “for, or on behalf of.” This language, she said, put the state in the position of endorsing that a proposed research study would be useful to the school or local education agency, causing them to be very cautious about disclosing education records for studies. The proposed regulations, she said, clarify that these words simply mean that the study is something the state recognizes as having potential value. Winnick expressed concern that, although the proposed regulations do allow the state to redisclose student data for a number of purposes, they do not authorize the state to do so for a study. Rather, in implement- ing the statutory requirement that the study must be “for, or on behalf of an educational agency or institution,” the proposed regulations only permit a school, local school district, or educational institution to enter an agreement for a study and release data pursuant to the agreement. He said that it would be legal and quite simple for the Department of Educa- tion to clarify that the definition of an “educational agency or institution” includes a state education agency or that the state education agency may enter a study agreement on behalf of schools or school districts in the state. Responding to a question, Campbell indicated that her office does not formally certify collaborations between education agencies and research groups as compliant with FERPA, but it does review collaboration propos- als and provide informal opinions on compliance. Myron Gutmann sug- gested that, because state longitudinal data systems contain the history of individual students’ school participation from kindergarten through higher education, these records could never be completely deidentified. He observed that, if a girl attended a particular school in second grade and another school in a different county in fifth grade, the individual would be obvious as a unique case in the data. Gutmann asked whether any transfer of data from such longitudinal databases to a researcher would constitute a disclosure of personally identifiable information. Seastrom agreed that, because it would be easy to identify one person’s unique case, such a transfer would always pose a problem unless the education agency did not allow any directory information at all in the deidenti- fied files. Gutmann responded that he would talk later in the workshop about similar situations, in which researchers are allowed access to data only with strong protections, such as the use of synthetic data or strong 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 15 contracts between researchers and data holders, such as those used by the National Center for Education Statistics and by his center. INITIATIVE ON REPORTING STATE EDUCATIONAL PERFORMANCE DATA Ross Santy (U.S. Department of Education) described several pub- lic and private initiatives to use and publicly report education data to improve students’ academic achievement. Because these initiatives focus on reporting of aggregated data, representing an entire school, school district, or state, the potential for disclosure of individual student infor- mation is small. Nevertheless, as discussed below, the states must make alterations before reporting some subsets of these data files, in order to ensure compliance with the confidentiality requirements of FERPA. The Department of Education’s EDFacts initiative aims to access and use student performance data created by the testing requirements of the No Child Left Behind Act of 2001 in order to create a usable national data set (U.S. Department of Education, 2008b). The No Child Left Behind Act requires the states not only to collect and analyze student performance data, but also to publicly report these data in the form of state, district, and school-level “report cards.” The report cards must provide student achievement results, both overall and within different groups, such as those with limited English proficiency, those with diagnosed learning disabilities, and members of different racial or ethnic groups. The report cards must also include information on the percentage of students not tested, two-year trend data by subject and grade, each school’s status in attaining adequate yearly progress, the professional qualifications of teachers, and other data. Santy explained that, as the states have increased their public report- ing of aggregated educational achievement and school accountability data over the past few years, they have received more requests from outside education organizations and researchers for access to their data in a form that is more usable than the report cards. Many states have responded, posting an annual report card data file on their websites, along with the annual report card. At the same time, the states have received more requests for data from the EDFacts initiative. A key component of this ini- tiative was the creation of the Education Data Exchange Network (EDEN) in 2004, as a pipeline to bring state data into the department. To reduce the burden on the states of complying with these multiple requests for data, the Data Quality Campaign, a national organization dedicated to assisting states in developing and using longitudinal data systems, has collaborated with the EDFacts office and independent edu- cation organizations to develop the “Coordinated Data Ask” (CDA). In 

16 PROTECTING STUDENT RECORDS response, state education agencies are beginning to make CDA files avail- able for download on their websites. These files represent a common set of indicators that are often requested by policy analysts and researchers. Reflecting the growing interest in access to these data, the Council of Chief State School Officers and Standard & Poor’s (2008) are developing the State Education Data Center, to be an online repository for consistently formatted files of aggregated school-, district-, and state-level education data. The website, created in late 2007, has had a rapidly growing number of hits. Returning to his description of the EDFacts initiative, Santy said that the EDFacts reporting tools were introduced in spring 2006. For the first three years of the initiative, states voluntarily provided data to EDFacts and, in 2007, the department finalized a regulation requiring electronic submission of data and granting states a two-year transition window. The formal data request to the states was designed to encompass the range of types of data the states were already required to collect, including basic demographics, student performance data, measures of adequate yearly progress, and other data. The states have provided an increasing percent- age of the data types and amounts requested by the department over the past three years. Santy explained that analysts in the EDFacts office are currently com- piling the data from state education agencies, studying its quality, and determining what is appropriate to be shared with the public. Although they definitely plan to make the national data set public, and they would like to share it with the State Education Data Center in order to reduce the burden of reporting requirements on the states, they have not done so yet. Santy explained that the EDFacts office has not made the data public because it has not received a consistent answer from the Department of Education about what constitutes “appropriate” privacy protections. He explained that different offices in the Department of Education have quite different policies and procedures, including licensing agreements used by the National Center for Education Statistics and different data- masking procedures used by the Office for Civil Rights when it makes data sets public and by the Office of Special Education Programs in its annual reports to Congress on implementation of the Individuals with Disabilities Education Act. Santy outlined several questions about confidentiality facing the states as they cooperate with the Department of Education, the Data Qual- ity Campaign, and the State Education Data Center to share and report their performance data. The No Child Left Behind Act includes provi- sions designed to protect the confidentiality of student records, directing   See http://www.schooldatadirect.org/. 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 17 each state to establish a “reporting N size.” Under the law, if a cell were to fall below this N size, the state must ensure that the information in that cell would not be publicly reported in a state education report card, in a data file, or in any other way. The data must be redacted, masked, or otherwise controlled. One frequent question from the states is how to respond if one subgroup falls below the reporting N size for a given grade or performance level. Should the state suppress the one subgroup and the total or, alternatively, report only the total data and suppress all of the subgroup data? A more fundamental question is, as growth models are more frequently used to meet No Child Left Behind Act testing require- ments, what data should be reported and how will privacy be protected over time? Santy said that, although the Department of Education currently has no official answer to such questions, officials are now discussing the dif- ferent approaches used in the department. These discussions address the different uses of the data sets, why they are being made public, and whether different purposes may require different procedures for main- taining confidentiality. Santy described the current situation as “unfor- tunate,” with many different interpretations of how to protect individual privacy of student records, but no common approach. DATA LICENSING SYSTEM OF THE national center for education statistics The National Center for Education Statistics at the Department of Education balances confidentiality with research access through a data licensing system, described by Marilyn Seastrom. Seastrom opened by noting that the center uses somewhat different disclosure protections for its own sample survey data than for administrative data owned and maintained by the states. She said that applying the same protections used for sample data to state administrative data sets would reveal the center’s approach to protecting the sample data, which includes adding noise and substituting data. Such changes would be readily apparent to state analysts who are familiar with their data and would be inappropri- ate, because the state data do not belong to the center. Seastrom explained that the National Center for Education Statistics collects and compiles statistics on education in the United States at all levels, from preschool through adult education. In the process, the center often obtains confidential data about specific institutions and individu- als. As required by the Education Sciences Reform Act of 2002 (P.L. 107- 279), the center has established confidentiality standards that define indi- vidually identifiable information to include “any record, response form, completed survey, or aggregation thereof from which information about 

18 PROTECTING STUDENT RECORDS particular individuals . . . may be revealed.” Such information includes not only direct identifiers, such as a name or social security number, but also indirect identifiers (e.g., place of birth, race/ethnicity, a specific geographic location) that in combination are linkable to a specific indi- vidual. She said that a microdata set with thousands of variables for tens of thousands of people could potentially include many unique strings of individual cases across all those items, and this is what the center tries to guard against disclosing. Seastrom said that the center’s mandate to protect privacy and con- fidentiality is governed not only by FERPA but also by specific confi- dentiality provisions in the Education Sciences Reform Act and by the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA). Section 183 of the Education Sciences Reform Act, known as the Institute of Education Sciences (IES) confidentiality law, states that no person may •  se any individually identifiable information collected under an u Education Sciences Reform Act nondisclosure pledge for any non- statistical purpose, except in the case of terrorism; •  ake any publication whereby the data for a particular person can m be identified; or •  ermit anyone other than the individuals authorized by the direc- p tor to examine the individual reports. In addition, both this law and CIPSEA regulations exempt the center’s individually identifiable data from the legal process, including requests from the public under the Freedom of Information Act. Seastrom highlighted two important ways in which the IES confi- dentiality law differs from more general FERPA requirements. First, it states: employees including temporary employees or other persons who have sworn to observe the limitations imposed by this law, who knowingly communicate any individually identifiable information will be subject to fines up to $250,000 or up to five years in prison or both (Class E felony). Second, the law allows the commissioner of the National Center for Edu- cation Statistics to use temporary staff, including federal, state, or local agency employees and private employees, “but only if such temporary staff are sworn to observe the IES confidentiality law.” This specific clause, Seastrom said, is the basis of the center’s licensing process, providing the legal authority to require people outside the center to “take our oath and have access to the data.” Winnick expressed disagreement that these 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 19 provisions gave the center broader legal authority than the states have to disclose student data to third parties for research studies. The center’s confidentiality procedures guard two types of released data: (1) restricted-use data (the type provided to researchers under license) and (2) public-use data. For restricted-use data sets, the center removes all direct identifiers and either makes confidentiality edits (data perturbation) or restricts cell sizes. Data perturbation techniques directly alter individual respondents’ data for some variables, such as blanking out randomly selected records; combining multiple records into a single record; adding random noise; and swapping or switching data. Release of public-use data sets begins when center analysts conduct disclosure limitation analysis of the restricted-use data, in order to determine which records require masking prior to public release. This analysis leads to fur- ther data perturbation to create public-use data sets. These changes pro- tect center employees against the disclosure penalties described above, as employees can honestly tell a judge that they did not know whether data they released included individually identifiable information. A disclosure review board made up of technical experts approves data perturbations for restricted-use data files and clears release of masked public-use files. To reduce the need for release of both types of data, the center provides a data analysis system. This analysis software system provides online tabu- lations in a framework that allows external users to analyze individually identifiable data without direct access to individual data records. In the data licensing system, center data security staff issue licenses for access to restricted-use data, while contracted security investigators conduct inspections to ensure that the confidentiality provisions of the license are met. The license itself is between the Institute of Educational Sciences, the user, and the user’s institution or organization. The licens- ing system began as a trial in 1991 and was formalized in 2002 following passage of CIPSEA, which allows federal statistical agencies to enter into licensing and contracting agreements. In 2007, the center implemented an electronic system to apply for licensing, and the center expected to issue 900 licenses for access to restricted-use data over the course of 2008. Individual researchers must apply for a license through an organiza- tion based in the United States, submitting a formal request with detailed information about the research project, its objective, an explanation of why the public-use files or the center’s data analysis system cannot meet the researcher’s need, and other information. Once the application is approved, the researcher must submit the signed license documents, along with a formal security plan and notarized affidavits of nondisclosure, for all those listed on the license as authorized users. The license documents include detailed information about the data, the authorized users, security requirements, and penalties for misuse or disclosure, and they must be 

20 PROTECTING STUDENT RECORDS signed by both the researcher and a senior official authorized to legally bind the institution. The security plan specifies the exact location where the data are held and used, the physical security of the building and room, and required computer security provisions. For example, the restricted- use data must be loaded and run on a standalone computer, any network devices must be disconnected when the restricted-use data are installed and used on the computer, and the data must be purged and overwritten prior to reattaching to any network. Seastrom explained that contracted security personnel monitor com- pliance with all aspects of the security plan and security requirements, which limit data use to a secure room or office, require a password (which must be changed every three months) to log into the computer, limit the data to read-only access, and require the licensee to remove the data either at the end of the project or when reattaching the computer to the network. The license gives center data security officials the right to con- duct unannounced, unscheduled inspections of the licensee’s site. At the same time, however, the licensee is responsible for ensuring that daily operations comply with the license and security plan, maintaining a file of license-related documents, and ensuring that all authorized users read and understand this file. In addition, the licensee must submit any presen- tation or publication to the center for disclosure review prior to release, notify the center of any changes to the project or its staff, and close the license after destroying the restricted-use data. Seastrom closed her presentation with several licensing lessons learned for other agencies and organizations wishing to protect data: •  aintain complete and detailed records of all license transactions; m • use security inspections to monitor minor violations; •  aintain regular contact with licensees, using e-mail and auto- m mated features of the electronic license system (e.g., by sending annual reminders for personnel and security updates); and • automate license closeout reminders. She observed that, although the center’s licensing system was developed to conform to the IES confidentiality law, it can work equally well in other situations. For example, the National Science Foundation operates a licensing system that mirrors the center’s system, and both the National Institute on Aging and the National Institute for Child Health and Devel- opment have used university data labs to distribute confidential data to qualified researchers through agreements that are similar to the center’s license and include onsite security inspections. In response to these lessons learned, Felice Levine asked whether schools, school districts, and states could use a license to provide research- 

BALANCING PRIVACY, CONFIDENTIALITY, AND ACCESS 21 ers with access to education records, and Seastrom agreed that licenses could be used to establish a formal agreement for data access. In response to another question, Seastrom said that the center’s licensing system is not subject to review by the Department of Education institutional review board. The department’s general counsel determined that, given the cen- ter’s strong legal requirements protecting confidentiality and stringent penalties for violation of these requirements, it was unnecessary for the institutional review board to be involved in decisions about how the cen- ter should protect the data. However, a researcher who accesses restricted- use data through the licensing system may be required to obtain approval from the institutional review board at her or his home institution. Miron Straf asked whether, under the law, a licensed researcher who discovered individually identifiable information in restricted-use data provided by the center was responsible for protecting that information. Seastrom agreed that, in this case, the burden of protection would lie with the researcher. Straf then asked whether the center might play a role in bringing state data, either virtually or physically, into its system of protections with access through licensing, and Seastrom replied that she believed the center would be open to discussing this.