PTAC Toolkit

The Privacy Technical Assistance Center (PTAC) has developed a body of best practice resources to help education stakeholders, including State educational agencies, local education agencies, and the postsecondary education community involved in building and using education data systems, learn more about data privacy, confidentiality, and security practices related to student-level longitudinal data systems.  Resources are organized according to five main topics, with the most up-to-date and relevant information on each topic displayed below. A complete list of resources by subject is available on linked webpages.  The PTAC Toolkit is updated regularly with new resources, including case studies, webinars, checklists, technical briefs, issue briefs, and other useful information. 

Data Sharing/Dissemination

Toolkit Data SharingEarly Childhood Regional Meeting Resource List (Aug.2013)

This document provides a comprehensive list of links to NCES, ED, and other state practitioner’s related resources directly and indirectly related to Early Childhood data system practitioners.  It includes applicable guidance documents in the areas of data use, research, privacy and security

Toolkit Data Sharing

Joint FERPA Letter with ED OESE HHS ACF (Apr 2013)

This letter written to Chief State School Officers and State Child Welfare Directors between the U.S. Department of Health and Human Services and Department of Education describes the Uninterrupted Scholars Act and its impact on data sharing between education and health and human service agencies.

Toolkit Data Sharing

FERPA Exceptions Summary (Apr 2014)

The various exceptions to FERPA can be confusing and difficult to keep track of.  The FERPA Exceptions Summary is intended to be a handy visual aid to help identify, at a glance, what FERPA exception applies to the data sharing work you are trying to do.  Both links below have the same content, only oriented in different ways to facilitate printing.



View More Data Sharing Content


View More Legal References Content


Security Best Practices

Toolkit Security Best Practices

Issue Brief: Data Security and Management Training: Best Practice Considerations (Dec 2011)

This brief provides best practices for data security and data management trainings for educational leaders. The brief discusses key training concepts to follow, content, delivery methods, and possible audiences for these trainings.

Toolkit Data SecurityIdentity Authentication Best Practices (July 2012)

This brief offers best practice recommendations for developing and implementing effective authentication processes to help ensure that only appropriate individuals and entities have access to education records. General suggestions provided in the brief are applicable to all modes of data access, be it in person, over the phone, by mail, or electronically.

Toolkit Data SecurityChecklist: Data Security (Dec 2011)

This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.

Toolkit Security Best Practices

Protecting Student Privacy While Using Online Educational Services.

This guidance should clarify questions related to student privacy and the use of educational technology in the classroom. 

The Department of Education and PTAC held a webinar on March 13 to review this guidance.

View More Data Security Content


Disclosure Avoidance

Toolkit Disclosure AvoidanceTech Brief #3: Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting (DRAFT; Dec 2010)

This Statewide Longitudinal Data Systems (SLDS) Technical Brief examines what protecting student privacy means in a reporting context. To protect a student's privacy, the student's personally identifiable information must be protected from public release. When schools, districts, or states publish reports on students' educational progress, they typically release aggregated data–data for groups of students–to prevent disclosure of information about an individual. However, even with aggregation, unintended disclosures of personally identifiable information may occur. Current reporting practices are described and each is accompanied by an example table that is used to consider whether the intended protections are successful. The Brief also illustrates that some practices work better than others in protecting against disclosures of personally identifiable information about individual students. Each data protection practice requires some loss of information. The challenge rests in identifying practices that protect information about individual students, while at the same time minimizing the negative impact on the utility of the publicly reported data. Drawing upon the review and analysis of current practices, the Brief concludes with a set of recommended reporting rules that can be applied in reports of percentages and rates that are used to describe student outcomes to the public. These reporting rules are intended to maximize the amount of detail that can be safely reported without allowing disclosures from student outcome measures that are based on small numbers of students.

Toolkit Disclosure AvoidancePTAC - New Guidance: Disclosure Avoidance & Limiting Access to PII (Dec 2012)

PTAC provides an overview of the guidance documents around Data Disclosure avoidance and best practice strategies for protecting personally identifiable information from education records (PII) in aggregate reports. The webinar provides suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA).

Toolkit Disclosure AvoidanceCase Study #5: Minimizing Access to PII: Best Practices for Access Controls and Disclosure Avoidance Techniques (Oct 2012)

This case study illustrates best practices for minimizing access to sensitive information with education data maintained in a Statewide Longitudinal Data System. Two additional documents accompany this study: (1) An alphabetized glossary of terms related to data de-identification, and (2) FAQs about protecting personally identifiable information in education records when publically reporting student data.

View More Disclosure Avoidance Content


Data Governance

Toolkit Data GovernanceTechnical Brief # 2: Data Stewardship: Managing Personally Identifiable Information in Student Education Records (Nov 2010)

This Statewide Longitudinal Data Systems (SLDS) Technical Brief focuses on data stewardship, which involves each organization’s commitment to ensuring that privacy, confidentiality, security, and the appropriate use of data are respected when personally identifiable information is collected. Data stewardship involves all aspects of data collection, from planning, collection and maintenance to use and dissemination. The Brief also discusses internal control procedures that should be implemented to protect personally identifiable information, including the use of unique student identifiers and linking codes, workforce security, authorization for access, role based access to student record data, permitted uses, and the handling of data breaches. This Brief concludes with a discussion of accountability and auditing, including an overview of the types of audit activities that can be implemented to ensure that all stages of data stewardship have been successfully implemented.

Toolkit Data GovernanceIssue Brief: Data Governance and Stewardship (Dec 2011)

This brief provides guidance on how to successfully manage complex data systems by establishing a comprehensive data governance approach. Data governance principles discussed in this paper apply to a large number of audiences and can be used to improve data management of systems spanning pre-school through postsecondary education and into the workforce.

Toolkit Data GovernanceChecklist: Data Governance (Dec 2011)

This checklist is designed to assist stakeholder organizations with establishing and maintaining a successful data governance program by summarizing the key data privacy and security components of such a program and listing specific best practice action items.

View More Data Governance Content