The Privacy Technical Assistance Center (PTAC) has developed a body of best practice resources to help education stakeholders, including State educational agencies, local education agencies, and the postsecondary education community involved in building and using education data systems, learn more about data privacy, confidentiality, and security practices related to student-level longitudinal data systems. Resources are organized according to five main topics, with the most up-to-date and relevant information on each topic displayed below. A complete list of resources by subject is available on linked webpages. The PTAC Toolkit is updated regularly with new resources, including case studies, webinars, checklists, technical briefs, issue briefs, and other useful information.
Data Sharing/Dissemination
Guidance for Reasonable Methods and Written Agreements (Nov 2011)
This document provides guidance for schools, school districts (also referred to as local educational agencies [LEAs]), postsecondary institutions, and State educational authorities (such as State educational agencies [SEAs]) that may disclose personally identifiable information (PII) from education records. The document provides these entities with information about requirements and best practices for data disclosures under the studies exception and the audit or evaluation exception, as specified in the Family Educational Rights and Privacy Act.
Case Study #1: High School Feedback Report (Jan 2012)
This case study illustrates a scenario where a State educational agency creates high school feedback reports using the audit or evaluation exception under the Family Educational Rights and Privacy Act.
Checklist: Data Sharing Agreement (Apr 2012)
This document lists mandatory requirements for written agreements under the studies exception and the audit or evaluation exception, as specified in the Family Educational Rights and Privacy Act.
Disclosure Avoidance
This Statewide Longitudinal Data Systems (SLDS) Technical Brief examines what protecting student privacy means in a reporting context. To protect a student's privacy, the student's personally identifiable information must be protected from public release. When schools, districts, or states publish reports on students' educational progress, they typically release aggregated data–data for groups of students–to prevent disclosure of information about an individual. However, even with aggregation, unintended disclosures of personally identifiable information may occur. Current reporting practices are described and each is accompanied by an example table that is used to consider whether the intended protections are successful. The Brief also illustrates that some practices work better than others in protecting against disclosures of personally identifiable information about individual students. Each data protection practice requires some loss of information. The challenge rests in identifying practices that protect information about individual students, while at the same time minimizing the negative impact on the utility of the publicly reported data. Drawing upon the review and analysis of current practices, the Brief concludes with a set of recommended reporting rules that can be applied in reports of percentages and rates that are used to describe student outcomes to the public. These reporting rules are intended to maximize the amount of detail that can be safely reported without allowing disclosures from student outcome measures that are based on small numbers of students.
PTAC - New Guidance: Disclosure Avoidance & Limiting Access to PII (Dec 2012)
PTAC provides an overview of the guidance documents around Data Disclosure avoidance and best practice strategies for protecting personally identifiable information from education records (PII) in aggregate reports. The webinar provides suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA).
This case study illustrates best practices for minimizing access to sensitive information with education data maintained in a Statewide Longitudinal Data System. Two additional documents accompany this study: (1) An alphabetized glossary of terms related to data de-identification, and (2) FAQs about protecting personally identifiable information in education records when publically reporting student data.
Security Best Practices
Issue Brief: Data Security and Management Training: Best Practice Considerations (Dec 2011)
This brief provides best practices for data security and data management trainings for educational leaders. The brief discusses key training concepts to follow, content, delivery methods, and possible audiences for these trainings.
Checklist: Data Security (Dec 2011)
This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.
Identity Authentication Best Practices (July 2012)
This brief offers best practice recommendations for developing and implementing effective authentication processes to help ensure that only appropriate individuals and entities have access to education records. General suggestions provided in the brief are applicable to all modes of data access, be it in person, over the phone, by mail, or electronically.
Data Governance
This Statewide Longitudinal Data Systems (SLDS) Technical Brief focuses on data stewardship, which involves each organization’s commitment to ensuring that privacy, confidentiality, security, and the appropriate use of data are respected when personally identifiable information is collected. Data stewardship involves all aspects of data collection, from planning, collection and maintenance to use and dissemination. The Brief also discusses internal control procedures that should be implemented to protect personally identifiable information, including the use of unique student identifiers and linking codes, workforce security, authorization for access, role based access to student record data, permitted uses, and the handling of data breaches. This Brief concludes with a discussion of accountability and auditing, including an overview of the types of audit activities that can be implemented to ensure that all stages of data stewardship have been successfully implemented.
Issue Brief: Data Governance and Stewardship (Dec 2011)
This brief provides guidance on how to successfully manage complex data systems by establishing a comprehensive data governance approach. Data governance principles discussed in this paper apply to a large number of audiences and can be used to improve data management of systems spanning pre-school through postsecondary education and into the workforce.
Checklist: Data Governance (Dec 2011)
This checklist is designed to assist stakeholder organizations with establishing and maintaining a successful data governance program by summarizing the key data privacy and security components of such a program and listing specific best practice action items.
Legal References (FERPA and Cross-Agency)
Model Notice for Directory Information (Mar 2011)
This document is a template notice for notifying parents and eligible students (students over 18 years of age or attending a school beyond the high school level) about the type of information from student’s education records, designated by a School District as “directory information,” that schools may disclose without consent, unless advised to the contrary.
Model Notification of Rights under FERPA for Postsecondary Institutions (Dec 2011)
This document is an example of a notice that postsecondary institutions can use to inform parents and eligible students (students 18 years of age or older or who attend a postsecondary institution) about their rights under the Family Educational Rights and Privacy Act (FERPA) with respect to students’ education records.
Model Notification of Rights for Elementary and Secondary Schools (Feb 2012)
This document is a template notice for notifying parents and eligible students (students 18 years of age or older or who attend a postsecondary institution) about their rights under the Family Educational Rights and Privacy Act (FERPA) with respect to students’ education records.