The Privacy Technical Assistance Center (PTAC) has developed a body of best practice resources to help education stakeholders, including State educational agencies, local education agencies, and the postsecondary education community involved in building and using education data systems, learn more about data privacy, confidentiality, and security practices related to student-level longitudinal data systems. Resources are organized according to five main topics, with the most up-to-date and relevant information on each topic displayed below. A complete list of resources by subject is available on linked webpages. The PTAC Toolkit is updated regularly with new resources, including case studies, webinars, checklists, technical briefs, issue briefs, and other useful information.
Security Best Practices
This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.
The Privacy Technical Assistance Center, working with the Department of Education’s Family Policy Compliance office, has developed a new checklist document that provides a framework for evaluating online educational tools' Terms of Service Agreements. This document is intended to assist users in understanding how a given online service or app will collect, use and/or transmit user information so that they can then decide whether or not to sign up.
The document is available here and is divided into several sections:
- A checklist for evaluating Terms of Service Agreements to ensure that the app or program will handle data in a safe and secure manner.
- Warning signs and potential illegal practices to look out for when using these applications.
- Recommendations and best practices for what you or your organization can do to protect yourself and your data.
The Data Destruction document is a best practices guide on properly destroying sensitive student data after it is no longer needed. It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data. The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.
The guide explains what the heartbeed vulnerability in OpenSSL is, how it is exploited, the risks to your organization, and what steps you can take to protect your sensitive data and other online assets. The guide provides helpful advice and best practices to ensure that your systems remain secure.
This guidance should clarify questions related to student privacy and the use of educational technology in the classroom.
The Department of Education and PTAC held a webinar on March 13 to review this guidance.
Data Breach Response Training Kit
Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception. The PTAC Data Breach Scenario is one of a series of exercises intended to assist schools, districts, and other educational organizations with internal data security training.
The Password Data Breach interactive exercise is aimed at district management and provides a simulated response to a district-level data breach. Over the course of 1-2 hours, this customizable exercise leads participants through a scenario involving a breach of student information and other personally identifiable information. The exercise focuses on the processes, procedures, and skills needed to respond. The package includes three parts: Facilitator’s Guide, PowerPoint Slides, and Exercise Handouts.
Important Internal Revenue Service (IRS) guidance highlighting ongoing phishing attacks against K-12 schools and school districts. These attacks are targeting HR and critical business functions within organizations to access the Personally Identifiable Information (PII) from the W-2 forms of employees and, in some cases, extracting fraudulent payments from their victims. This document contains a summary of the attacks, tactics of the attackers, potential ramifications and links to the official IRS guidance.
This guidance document is intended to help educational agencies and institutions create visual “maps” of how their data flows in the data systems. Including maps in data governance plans can help organizations better understand what data are in their systems, where the data reside, what sources they come from, why those data are collected, what limitations or restrictions apply, how they are linked, and what policy questions those data are used to answer.
This Statewide Longitudinal Data Systems (SLDS) Technical Brief focuses on data stewardship, which involves each organization’s commitment to ensuring that privacy, confidentiality, security, and the appropriate use of data are respected when personally identifiable information is collected. Data stewardship involves all aspects of data collection, from planning, collection and maintenance to use and dissemination. The Brief also discusses internal control procedures that should be implemented to protect personally identifiable information, including the use of unique student identifiers and linking codes, workforce security, authorization for access, role based access to student record data, permitted uses, and the handling of data breaches. This Brief concludes with a discussion of accountability and auditing, including an overview of the types of audit activities that can be implemented to ensure that all stages of data stewardship have been successfully implemented.
This brief provides guidance on how to successfully manage complex data systems by establishing a comprehensive data governance approach. Data governance principles discussed in this paper apply to a large number of audiences and can be used to improve data management of systems spanning pre-school through postsecondary education and into the workforce.
This checklist is designed to assist stakeholder organizations with establishing and maintaining a successful data governance program by summarizing the key data privacy and security components of such a program and listing specific best practice action items.
Parents often ask questions like “What information are you collecting about my child?” “Why do you need that information, and what do you use it for?” or “How do you safeguard my child’s information?” These are legitimate questions that parents want schools and districts to answer. This document provides a number of recommendations for keeping parents and students better informed about schools’ and districts’ collection and use of student data.
The recommendations contained in the guidance can be divided into three main categories: (1) what information schools and districts ought to communicate to parents; (2) how to convey that information in a way that parents can understand; and (3) how to respond to parent inquiries about student data policies and practices.
Some of the best practices covered in the document include:
- making information about your student data policies and practices easy to find on your public webpage;
- publishing a data inventory that details what information you collect about your students, and what you use it for;
- explaining to parents what, if any, personal information is shared with third parties and for what purpose(s); and
- using multi-layered communication strategies that tailor the complexity of the information to the medium, and telling parents where they can get more detailed information if they want it.
This PTAC Document aims to assist schools and districts in crafting data use policies to ensure appropriate protection of students’ data. While it is not mandatory to develop a data use policy, the U.S. Department of Education recommends doing so as a best practice.
This document was developed as a companion piece to the video Developing a Privacy Program for your School District. The document provides an overview and rationale for why districts need, and should take the time to create and implement a program to protect personally identifiable information from student records.
- Early Childhood Regional Meeting Resource List
- Joint FERPA Letter with ED OESE HHS ACF
- Financial Aid Research
- FERPA Exceptions Summary
- Contractor Responsibilities under FERPA
- Responsibilities of Third-Party Service Providers
- Joint Guidance on Data Matching
- Request from Suffolk University
- Integrated Data Systems and Student Privacy
This document provides a comprehensive list of links to NCES, ED, and other state practitioner’s related resources directly and indirectly related to Early Childhood data system practitioners. It includes applicable guidance documents in the areas of data use, research, privacy and security
This letter written to Chief State School Officers and State Child Welfare Directors between the U.S. Department of Health and Human Services and Department of Education describes the Uninterrupted Scholars Act and its impact on data sharing between education and health and human service agencies.
This document is intended to provide postsecondary educational institutions clarification on the conditions under which federal student financial aid information may be used for program evaluation and research purposes. Numerous federal laws govern access to, disclosure of, and use of student financial aid information, including, but not limited to: Section 444 of the General Education Provisions Act (commonly referred to as the Family Educational Rights and Privacy Act [FERPA]); the Higher Education Act of 1965, as amended (HEA); and the Privacy Act of 1974, as amended (Privacy Act). As the interplay of these various laws in different situations can be complex, in addition to a discussion, this document provides some questions and answers about possible situations in which student financial aid information may, or may not, be used for these purposes.
FERPA Exceptions Summary (Apr 2014)
The various exceptions to FERPA can be confusing and difficult to keep track of. The FERPA Exceptions Summary is intended to be a handy visual aid to help identify, at a glance, what FERPA exception applies to the data sharing work you are trying to do. Both links below have the same content, only oriented in different ways to facilitate printing.
This document is intended for state educational agencies (SEAs) and/or their contracted companies to use to inform the contractors’ staff about their responsibilities to protect students’ personally identifiable information acquired under FERPA’s audit or evaluation exception.
The document is available in two different formats:
This document was developed by PTAC to assist online educational services providers, vendors, and contractors in understanding the Family Educational Rights and Privacy Act (FERPA). Our prior guidance, Protecting Student Privacy While Using Online Educational Services, was intended for school audiences; this guidance presents the same material, but in a format geared toward third-party service providers.
Workforce Innovation and Opportunity Act (WIOA) August 2016
In July 2014, Congress enacted the Workforce Innovation and Opportunity Act (WIOA) to provide greater training and work search opportunities to unemployed Americans, especially those who exhaust unemployment benefits and continue to be unemployed or underemployed. To achieve that end, Congress required that, in measuring the progress of the state on state and local performance accountability measures that apply across core programs, states use quarterly wage records consistent with state law. WIOA also requires that states, to the extent practicable, cooperate in conducting evaluations (including related research projects), which includes providing data. In addition, under WIOA eligible training providers are required to report employment outcomes, and will benefit from states enabling cross-matching with wage records and education and training provider records. Accordingly, the Departments of Labor and Education are issuing this joint guidance on data matching to facilitate performance reporting and evaluation.
The U.S Department of Education has issued this guidance letter in response to a technical assistance request from Suffolk University. In their request, representatives from the University sought guidance on the use of the Department’s National Student Loan Data System (NSLDS) for research and evaluation purposes, to study student loan servicing and borrower default and delinquency of Suffolk’s students and graduates.
This guidance document provides background information on what an Integrated Data System (IDS) is and why educational authorities may choose to participate in one, and clarifies how such authorities can participate in an IDS while ensuring student privacy in compliance with FERPA.
Legal References (FERPA and Cross-Agency)
This document is a template notice for notifying parents and eligible students (students over 18 years of age or attending a school beyond the high school level) about the type of information from student’s education records, designated by a School District as “directory information,” that schools may disclose without consent, unless advised to the contrary.
This document is an example of a notice that postsecondary institutions can use to inform parents and eligible students (students 18 years of age or older or who attend a postsecondary institution) about their rights under the Family Educational Rights and Privacy Act (FERPA) with respect to students’ education records.
This document is a template notice for notifying parents and eligible students (students 18 years of age or older or who attend a postsecondary institution) about their rights under the Family Educational Rights and Privacy Act (FERPA) with respect to students’ education records.
On April 21st, 2016 the Office of the Chief Privacy Officer issued a formal letter to Louisiana answering questions relating to protecting student privacy in public reporting. The document addresses the U.S. Department of Education’s practices and recommendations to States on how to protect privacy when publicly reporting enrollment data.
This Statewide Longitudinal Data Systems (SLDS) Technical Brief examines what protecting student privacy means in a reporting context. To protect a student's privacy, the student's personally identifiable information must be protected from public release. When schools, districts, or states publish reports on students' educational progress, they typically release aggregated data–data for groups of students–to prevent disclosure of information about an individual. However, even with aggregation, unintended disclosures of personally identifiable information may occur. Current reporting practices are described and each is accompanied by an example table that is used to consider whether the intended protections are successful. The Brief also illustrates that some practices work better than others in protecting against disclosures of personally identifiable information about individual students. Each data protection practice requires some loss of information. The challenge rests in identifying practices that protect information about individual students, while at the same time minimizing the negative impact on the utility of the publicly reported data. Drawing upon the review and analysis of current practices, the Brief concludes with a set of recommended reporting rules that can be applied in reports of percentages and rates that are used to describe student outcomes to the public. These reporting rules are intended to maximize the amount of detail that can be safely reported without allowing disclosures from student outcome measures that are based on small numbers of students.
PTAC provides an overview of the guidance documents around Data Disclosure avoidance and best practice strategies for protecting personally identifiable information from education records (PII) in aggregate reports. The webinar provides suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA).
This case study illustrates best practices for minimizing access to sensitive information with education data maintained in a Statewide Longitudinal Data System. Two additional documents accompany this study: (1) An alphabetized glossary of terms related to data de-identification, and (2) FAQs about protecting personally identifiable information in education records when publically reporting student data.