PTAC Toolkit

The Privacy Technical Assistance Center (PTAC) has developed a body of best practice resources to help education stakeholders, including State educational agencies, local education agencies, and the postsecondary education community involved in building and using education data systems, learn more about data privacy, confidentiality, and security practices related to student-level longitudinal data systems.  Resources are organized according to five main topics, with the most up-to-date and relevant information on each topic displayed below. A complete list of resources by subject is available on linked webpages.  The PTAC Toolkit is updated regularly with new resources, including case studies, webinars, checklists, technical briefs, issue briefs, and other useful information. 

Security Best Practices

Toolkit Data SecurityChecklist: Data Security (Dec 2011)

This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.

Best Practices for Data Destruction

The Data Destruction document is a best practices guide on properly destroying sensitive student data after it is no longer needed.  It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data.  The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.

Surviving Heartbleed Guide

The guide explains what the heartbeed vulnerability in OpenSSL is, how it is exploited, the risks to your organization, and what steps you can take to protect your sensitive data and other online assets.  The guide provides helpful advice and best practices to ensure that your systems remain secure.

Toolkit Security Best Practices

Protecting Student Privacy While Using Online Educational Services.

This guidance should clarify questions related to student privacy and the use of educational technology in the classroom. 

The Department of Education and PTAC held a webinar on March 13 to review this guidance.

View More Data Security Content

 

Data Governance

Toolkit Data GovernanceTechnical Brief # 2: Data Stewardship: Managing Personally Identifiable Information in Student Education Records (Nov 2010)

This Statewide Longitudinal Data Systems (SLDS) Technical Brief focuses on data stewardship, which involves each organization’s commitment to ensuring that privacy, confidentiality, security, and the appropriate use of data are respected when personally identifiable information is collected. Data stewardship involves all aspects of data collection, from planning, collection and maintenance to use and dissemination. The Brief also discusses internal control procedures that should be implemented to protect personally identifiable information, including the use of unique student identifiers and linking codes, workforce security, authorization for access, role based access to student record data, permitted uses, and the handling of data breaches. This Brief concludes with a discussion of accountability and auditing, including an overview of the types of audit activities that can be implemented to ensure that all stages of data stewardship have been successfully implemented.

Toolkit Data GovernanceIssue Brief: Data Governance and Stewardship (Dec 2011)

This brief provides guidance on how to successfully manage complex data systems by establishing a comprehensive data governance approach. Data governance principles discussed in this paper apply to a large number of audiences and can be used to improve data management of systems spanning pre-school through postsecondary education and into the workforce.

Toolkit Data GovernanceChecklist: Data Governance (Dec 2011)

This checklist is designed to assist stakeholder organizations with establishing and maintaining a successful data governance program by summarizing the key data privacy and security components of such a program and listing specific best practice action items.

Transparency Best Practices

Parents often ask questions like “What information are you collecting about my child?” “Why do you need that information, and what do you use it for?” or “How do you safeguard my child’s information?”    These are legitimate questions that parents want schools and districts to answer.  This document provides a number of recommendations for keeping parents and students better informed about schools’ and districts’ collection and use of student data.

 

The recommendations contained in the guidance can be divided into three main categories: (1) what information schools and districts ought to communicate to parents; (2) how to convey that information in a way that parents can understand; and (3) how to respond to parent inquiries about student data policies and practices. 

Some of the best practices covered in the document include: 

  • making information about your student data policies and practices easy to find on your public webpage;
  • publishing a data inventory that details what information you collect about your students, and what you use it for;
  • explaining to parents what, if any, personal information is shared with third parties and for what purpose(s);  and
  • using multi-layered communication strategies that tailor the complexity of the information to the medium, and telling parents where they can get more detailed information if they want it.

PDF

View More Data Governance Content

 

Data Sharing/Dissemination

Toolkit Data SharingEarly Childhood Regional Meeting Resource List (Aug.2013)

This document provides a comprehensive list of links to NCES, ED, and other state practitioner’s related resources directly and indirectly related to Early Childhood data system practitioners.  It includes applicable guidance documents in the areas of data use, research, privacy and security

Toolkit Data Sharing

Joint FERPA Letter with ED OESE HHS ACF (Apr 2013)

This letter written to Chief State School Officers and State Child Welfare Directors between the U.S. Department of Health and Human Services and Department of Education describes the Uninterrupted Scholars Act and its impact on data sharing between education and health and human service agencies.

Toolkit Data Sharing

FERPA Exceptions Summary (Apr 2014)

The various exceptions to FERPA can be confusing and difficult to keep track of.  The FERPA Exceptions Summary is intended to be a handy visual aid to help identify, at a glance, what FERPA exception applies to the data sharing work you are trying to do.  Both links below have the same content, only oriented in different ways to facilitate printing.

 

 

View More Data Sharing Content

 

View More Legal References Content

 

Disclosure Avoidance

Toolkit Disclosure AvoidanceTech Brief #3: Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting (DRAFT; Dec 2010)

This Statewide Longitudinal Data Systems (SLDS) Technical Brief examines what protecting student privacy means in a reporting context. To protect a student's privacy, the student's personally identifiable information must be protected from public release. When schools, districts, or states publish reports on students' educational progress, they typically release aggregated data–data for groups of students–to prevent disclosure of information about an individual. However, even with aggregation, unintended disclosures of personally identifiable information may occur. Current reporting practices are described and each is accompanied by an example table that is used to consider whether the intended protections are successful. The Brief also illustrates that some practices work better than others in protecting against disclosures of personally identifiable information about individual students. Each data protection practice requires some loss of information. The challenge rests in identifying practices that protect information about individual students, while at the same time minimizing the negative impact on the utility of the publicly reported data. Drawing upon the review and analysis of current practices, the Brief concludes with a set of recommended reporting rules that can be applied in reports of percentages and rates that are used to describe student outcomes to the public. These reporting rules are intended to maximize the amount of detail that can be safely reported without allowing disclosures from student outcome measures that are based on small numbers of students.

Toolkit Disclosure AvoidancePTAC - New Guidance: Disclosure Avoidance & Limiting Access to PII (Dec 2012)

PTAC provides an overview of the guidance documents around Data Disclosure avoidance and best practice strategies for protecting personally identifiable information from education records (PII) in aggregate reports. The webinar provides suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA).

Toolkit Disclosure AvoidanceCase Study #5: Minimizing Access to PII: Best Practices for Access Controls and Disclosure Avoidance Techniques (Oct 2012)

This case study illustrates best practices for minimizing access to sensitive information with education data maintained in a Statewide Longitudinal Data System. Two additional documents accompany this study: (1) An alphabetized glossary of terms related to data de-identification, and (2) FAQs about protecting personally identifiable information in education records when publically reporting student data.

View More Disclosure Avoidance Content