| Notes |
DATA-SHARING TOOL KIT FOR COMMUNITIES: How To Leverage Community Relationships While Protecting Student Privacy
This report contains hypertext links, contact addresses, and websites with information created and maintained by other public and private organizations. This information is provided for the user’s convenience. The opinions expressed in any of these hyperlinked materials do not necessarily reflect the positions or policies of the U.S. Department of Education. The inclusion of this information is not intended to reflect its importance, nor is it intended to endorse any views expressed, or products or services offered. The U.S. Department of Education does not control or guarantee the accuracy, relevance, timeliness, or completeness of any outside information included in this report.
U.S. Department of Education
400 Maryland Avenue, SW Washington, DC 20202
March 2016
This report is in the public domain. Authorization to reproduce it in whole or in part is granted. While permission to reprint this publication is not necessary, the citation should be: U.S. Department of Education, Data-Sharing Tool Kit for Communities: How to Leverage Community Relationships While Protecting Student Privacy, Washington, D.C., 2016.
This report is available on the Department’s website at http://innovation.ed.gov/what-we-do/place- based-initiatives/.
Availability of Alternate Formats
Requests for documents in alternate formats such as Braille or large print should be submitted to the Alternate Format Center by calling 202-260-0852 or by contacting the 504 coordinator via email at om_eeos@ed.gov.
Notice to Limited English Proficient Persons
If you have difficulty understanding English you may request language assistance services for Department information that is available to the public. These language assistance services are available free of charge. If you need more information about interpretation or translation services, please call 1-800-USA-LEARN (1-800-872-5327) (TTY: 1-800-437-0833), or email us at Ed.Language.Assistance@ed.gov.
ii

A Data-Sharing Overview
Sharing De-identified Data
Data Spotlight #1
Sharing With Consent
Data Spotlight #2
Using an Exception
School Official Exception
Data Spotlight #3
Test Your Knowledge of the School-Official Exception
Studies Exception
Test Your Knowledge of the Studies Exception
Audit/Evaluation Exception
Test Your Knowledge of the Audit/Evaluation Exception
FERPA Mythbusters
Introduction to Tools
Integrated Data Systems
Resources
Contact Information
iii
List of One-Pagers
DATA-SHARING TOOL KIT FOR COMMUNITIES: How To Leverage Community Relationships While Protecting Student Privacy
The purpose of this tool kit is to inform civic and community leaders who wish to use shared data to improve academic and life outcomes for students while protecting student privacy. A key success factor in doing this well is understanding the Family Educational Rights and Privacy Act (FERPA) and its parameters relative to the sharing of personally identifiable information (PII) from education records.
This tool kit is designed to simplify the complex concepts of FERPA. It may be used both as a comprehensive guide and a collection of one-page resources. The tool kit covers the following three primary focus areas:
Understanding the importance of data collection and sharing
Understanding how to best protect student privacy when collectively using PII from students’ education records that is protected by FERPA (including the best practices for obtaining written consent, or, where applicable, complying with FERPA’s exceptions to non-consensual disclosure of data)
Understanding how to manage shared data using integrated data systems
Hyperlinks to additional information can be found throughout the tool kit in bold green text. The symbol is used to identify best privacy practices as you move forward with your data plans. Finally, please keep in mind that this tool kit highlights the federal privacy protections under FERPA. Be sure to also review other federal and state privacy laws.
iv
A Data-Sharing Overview
Why Data Sharing Is Important
Data helps us better understand the needs of our students, identify additional resources needed, and, in some cases, assess our impact on individual student outcomes. Imagine being able to help a struggling student access the exact support services he or she needs, like tutoring, housing, or healthcare. By sharing data consistent with applicable privacy protection, you can. Data sharing can enable well-meaning people to better serve students by providing information that helps to contextualize student need.
Is Data Sharing Legal?
Yes, under certain circumstances. The Family Educational Rights and Privacy Act (FERPA) establishes certain parental rights, and restricts to whom and the circumstances under which schools, local educational agencies (LEAs), and post-secondary institutions can disclose a student’s personally identifiable information (PII) from education records without the parent’s or eligible student’s consent. (The video Student Privacy 101 provides a general overview of these protections and their critical importance to students and families.) Several myths and misinterpretations of privacy laws and regulations keep LEAs from participating in permissible data-sharing activities that have the potential to improve both life and academic outcomes for students.
The good news is that, with the right understanding of existing privacy laws, you can be well on your way to building a data plan that meets each individual student’s privacy needs! The first step in determining if a data plan is in compliance with FERPA is to find out what category of data is involved. There are generally three categories of data that may be permissibly shared with different rules for each of them. These categories are (1) de-identified data; (2) data shared with written consent from the parent or eligible student; and (3) data shared under a FERPA exception. When sharing PII from a student’s education records using an exception to FERPA’s written consent requirement, it is important to remember that most of the exceptions are tied to a specific, limited use of the data. If using data for multiple purposes, multiple exceptions may be required.
DE-IDENTIFIED
You can always share properly de-identified data. Just keep in mind that FERPA’s definition of PII includes any linked or linkable information that can be used to identify a student. Always fully assess the risks before sharing data.
WITH CONSENT (Recommended)
Getting written consent is a relatively simple way to ensure compliance. Consent must specify the type of PII shared, the purpose for sharing it, and the specific party with whom it’s shared. Check out our sample consent forms to get started.
USING AN EXCEPTION
FERPA has several exceptions to its consent requirement. The most common exceptions are for conducting a study, evaluating educational programs, or outsourcing school functions or services.
Page 1 of 18
Sharing De-identified Data
De-identified aggregate or summary data are collections of de-identified information that are (1) collected from multiple sources and/or on multiple measures, variables, or individuals; and (2) compiled into data summaries or summary reports, typically for the purposes of public reporting or statistical analysis, such as examining trends, making comparisons, or revealing information and insights that would not be observable when data elements are viewed in isolation.
FERPA allows schools to share properly de-identified data
without consent of any party, for any purpose. students with unique identifiers.
Aggregating student-level data removes much of the risk of disclosure, since no direct identifiers (such as, but not limited to, a name, Social Security number, or student ID) are present. With that said, even aggregate data has its risks, especially when a student — or even a set of students — has unique characteristics, or identifiers. An example of this might be a school reporting that 100 percent of males in grade 11 scored at “Below Proficient” on an assessment. In these cases, you may need to adjust the data to maintain privacy. Fortunately, there are a number of tools you can use to ensure you’re protecting student privacy. The privacy community refers to these as “disclosure avoidance techniques.”
Our Privacy Technical Assistance Center has a complete list of Frequently Asked Questions on Disclosure Avoidance Techniques, but here are just a few to get you started:
SUPPRESSION
Removing data to prevent the identification of individuals in small groups or those with unique characteristics. This method may often result in very little data being produced for small populations.
BLURRING
Reducing the precision of reported data to lessen the likelihood of individuals being re-identified. There are many ways to do this, such as rounding cell values or reporting values in ranges.
PERTURBATION
Introducing “noise” or manipulating small amounts of data within a table to prevent a data user from re-identifying an individual with any certainty.
Double-check aggregate data to avoid
accidentally disclosing information on
Page 2 of 18
Data Spotlight #1:
Using de-identified data to identify gaps in program provision
City’s Promise is a city-wide collaborative, composed of public, business, higher education, nonprofit, and philanthropic leaders. It serves as a catalyst for organizing efforts and resources around a shared community vision that all city youths will travel a safe, healthy, and successful education path from cradle to career. This includes the approximately 85,000 students served by City Public Schools (CPS). City’s Promise has five strategic objectives and corresponding work groups: (1) healthy babies, (2) kindergarten readiness, (3) grade-level achievement, (4) high school graduation, and (5) career readiness.
The grade-level achievement work group, chaired by the CPS Superintendent, convened 25 stakeholders to assess opportunities to improve student achievement. They began by examining student progress on key assessments, including their local state assessment and scores from the National Assessment of Educational Progress. To identify which children were most at risk of falling below grade-level achievement, CPS gathered data using the following three key variables, which serve as early indicators of this risk: (1) attendance, (2) behavior (as defined by truancy and suspension), and (3) course rigor.
CPS then disaggregated the data by race/ethnicity and gender, and applied disclosure avoidance techniques, including complementary suppression, to de-identify the data. Despite having to suppress a little data in both sets of assessment scores due to the small percentage of students yielded from cross-tabulation by race and gender, CPS was still able to fully de-identify the remaining aggregate data. This data covered more than 90 percent of its total population.
Next, the work group conducted three meetings with a professional facilitator and identified high-level priorities to boost achievement. The first priority was an improvement to its enrichment opportunities, specifically out-of-school-time programs. Based on their qualitative data analysis of the de-identified data, community groups recognized that of the 15,000 youths enrolled in out-of-school- time programs, only 3,500 were enrolled in what they believed were comprehensive enrichment programs. For instance, a child who was struggling with reading in school should’ve been—but often wasn’t—enrolled in an enrichment program with a tutoring component. The workgroup members used their content expertise to inform their recommendation to the board to ensure that instruction in CPS classrooms is complemented (not replicated) with out-of-school-time programs.
Now that the workgroup has successfully used data to identify gaps in out-of- school-time program provision, it is working on the next phase—using data to close gaps in achievement. The City’s Promise board ultimately accepted the group’s recommendation and formed an action team to explore how to better align and expand enrichment opportunities. The action team is jointly led by a local management board that oversees the provision of resources for a large portion of out-of-school- time programs for the city, and by CPS’ teaching and learning division. The team is now conducting a deep-data dive using the de-identified data to develop its enrichment programming.
Page 3 of 18
Sharing With Consent
Written consent from parents or eligible students is generally required before PII from students’ education records may be disclosed to community partners. Except for the permissible exceptions to consent, FERPA requires written consent from parents or eligible students before PII from education records are disclosed. Schools, local educational agencies, and/or community partners can incorporate written consent into the registration process. This ensures that when a parent signs a student up for services offered by a community partner, the partner obtains the consent needed to access those education records that will be needed to provide its services to that student.
Although obtaining consent is the recommended and often most effective way of sharing education records, it is not always the most practical method to use. Under FERPA, a parent or eligible student may provide consent to a third party, such as a community partner, as long as the consent is written, dated, signed and
(1) specifies the education records that may be disclosed;
(2) states the purpose of the disclosure; and
(3) identifies the partner or other parties to whom the disclosure may be made.
Written consent is the best way to protect student privacy while serving student needs.
The first question is often WHO is responsible for obtaining the written consent? Although it may make the most sense for community partners to do so, a school is not required to honor consents given to third-party organizations. To ensure an effective partnership, you should work with the LEA(s) ahead of time to obtain consent in accordance with their student privacy policies and procedures.
Best Practices for Obtaining Consent
Find out who can sign. Recognizing that many students do not live with their biological parents, schools may obtain consent from an individual acting as a parent in the absence of a parent or legal guardian, such as a grandparent or other adult relative. An individual acting as a parent is an individual who is responsible for the day-to-day supervision of the child. Schools have the discretion in deciding what documentation, if any, is necessary to make the determination of whether an individual qualifies as an acting parent.
Seek volunteers from the community. Trust is a key ingredient in obtaining consent from parents. Without it, community partners are sometimes rejected by parents as meddlesome outsiders. Building relationships with people from within the community helps to bridge any perceived gaps between service providers and the communities they serve. For community programs, parents who have already enrolled in the program may prove useful in helping to educate newer parents on the benefits of granting consent.
Page 4 of 18
Data Spotlight #2: Obtaining consent to share data
The Great Schools Promise Neighborhood (GSPN) is a transformative education initiative that brings together families, schools, public agencies, and the community to change the odds for a generation of children. GSPN uses education as a tool to end multi-generational poverty in two of Great City’s highest need neighborhoods by creating early pathways of opportunity that lead to college and career success. Parents who sign on with GSPN and its partners can benefit from a wide variety of wraparound services—ranging from housing to college prep.
While GSPN was in its planning phase, a new principal arrived at Great Kids Elementary School, a GSPN partner school. Principal Jane Doe, a white woman, stood out in a school filled with students of African and African-American descent. She understood the need to quickly acknowledge the role of culture within the school, and that in order to get the full community to trust her, she’d have to enlist the help of the community itself.
Leveraging her relationships with a trusted member of the community, Elder Eve, and a well-established tutoring program that had been part of the school for several years, Principal Doe sought help in building a stronger community program. She expanded her relationship with the community “elders” and provided a dedicated classroom at her school for the community-based Cultural Wellness Center.
Principal Doe’s investment in the community paid off when it was time to encourage participation in the GSPN. “I need your help,” she said, candidly acknowledging the cultural gap between her and the community. In return, the elders appreciated her honesty and didn’t think twice about lending a hand.
Working with GSPN and its sponsor, the Doing Good Foundation, Principal Doe and the community elders started getting parents engaged in GSPN’s continuum of supports. They not only told parents about the existence of GSPN, they also invited them to help build the Promise Neighborhood around what the community felt it most needed. Soon, Principal Doe and the Doing Good Foundation were playing supportive roles as the community stepped into the leadership role.
With student privacy as a top priority, trained GSPN community “navigators” worked closely with community partners and the school to ensure FERPA compliance while educating their peers about their privacy rights and the potential benefits that might result from consenting to the disclosure of education records. Navigators were from the community and, typically, had an existing level of trust from which to engage parents throughout the GSPN footprint. They made sure that the consent forms collected contained the right information on what data would be disclosed, who would have access to the data, and the purpose for which the data would be used. GSPN also uses both an integrated data system and district data center to help centralize the protection and use of data across its partners.
Page 5 of 18
Using An Exception
FERPA contains a number of exceptions that allow schools and LEAs to disclose PII from a student’s education record without the consent of a parent or an eligible student. Three of the most relevant exceptions are for (1) school officials, (2) studies, and (3) audits/evaluations.
School Official Exception
This exception is most commonly used for in-school volunteers and contracting. Schools may share information with an organization considered to be a “school official” only if the organization meets all of the following criteria:
Performs an institutional service or function for which the school or LEA would otherwise use employees
Is under direct control of the school or LEA regarding the use and maintenance of the education records
Organization agrees not to disclose or use the data outside of the designated purpose, pursuant to 34 CFR
§99.33(a) of the FERPA regulations governing PII use and re-disclosure
Meets the criteria listed in the school’s or LEA’s Annual Notification of FERPA Rights for being a school official
with a legitimate educational interest
Studies Exception
Information may be shared with an organization conducting studies for or on behalf of a school or LEA. There are a few limitations, however. The school must enter into a written agreement with the organization that includes the privacy requirements listed in 34 CFR §99.31(a)(6) of the FERPA regulations. The organization must also be conducting a study in one of the following areas:
 Developing, validating, or administering predictive tests Administering student aid programs
Improving instruction
Audit/Evaluation Exception
Use detailed data-sharing agreements to ensure partners understand the limited use of shared data.
This is the exception most often used for evaluating program effectiveness. A local educational authority, generally the LEA, may designate certain organizations to serve as its authorized representative—as long as there’s a written agreement and the LEA meets the conditions listed in 34 CFR §99.35 of the FERPA regulations. The LEA may only share PII from education records using this exception in order to do either one of the following:
Audit or evaluate a federal or state-supported education program
Enforce or comply with federal legal requirements relating to an education program
There is one additional exception to FERPA’s consent requirement worth noting—Directory Information. Directory information is PII from education records that would not generally be considered an invasion of privacy or harmful if disclosed. It includes the student’s name, address, telephone listing, email address, photograph, date and place of birth, major field of study, grade level, dates of attendance, participation in sports, awards and honors, and most recent school or LEA attended. Directory information does not include Social Security numbers, grades or assessment scores, disability, race, or sex. Schools and LEAs must give parents and eligible students public notice about what items are designated as directory information and inform them of their right to opt out of the disclosure of that information. A reasonable amount of time must be provided to parents and eligible students so that requests not to disclose any or all directory information can be made to the school or LEA.
Page 6 of 18
School Official Exception
FERPA allows education agencies or institutions to disclose PII from an education record without consent to school officials, including teachers, within the agency or institution if the agency or institution determines that those officials have “legitimate educational interests” (typically, this means a school official needs to review an education record in order to do a job) in the records. The U.S. Department of Education has interpreted the term “school official” to include school employees, from teachers to volunteers to clerical personnel. In addition, schools may outsource institutional services or functions to third parties so long as the outside party is performing a service or function the school would ordinarily use employees to complete and certain conditions are met, such as having a legitimate educational interest in the information.
There are a few caveats. Organizations falling under this exception must be under the direct control of the school regarding the use and maintenance of its education records. Organizations are also required to comply with FERPA’s re-disclosure requirements. This means they can’t re-disclose PII or education records to another party without the prior consent of the parent or eligible student, and they may use the PII or education records only for the purpose for which it was released. Keep in mind that schools are required to, among other things, give annual notification of the criteria needed to be considered a school official with a legitimate educational interest. And finally, although FERPA doesn’t actually require written agreements under this exception, we strongly recommend their use as a best practice.
GettingStarted: AQuickChecklistfortheSchool
Establish criteria in the annual notification of FERPA rights about who is a “school official” and what constitutes “legitimate educational interests.”
Determine if the disclosure is to a school official who has a legitimate educational interest in the education records.
Use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interest.
If outsourcing school services or functions to a third party, make sure your third party does the following:
Performs a service or function for which the school would otherwise use employees
Is under the direct control of the school regarding the use and maintenance of education records Complies with the PII from education records use and re-disclosure requirements
Reference and Record Requirements
See the complete reference at 34 CFR §99.31(a)(1) and §99.7(a)(3)(iii). 34 CFR §99.32(d)(2) does not require schools, LEAs, or post-secondary institutions to record disclosures of personally identifiable information from education records to school officials under 34 CFR §99.31(a)(1).
Page 7 of 18
Data Spotlight #3:
How the Community Promise Neighborhood Initiative used de-identified data to reduce chronic absenteeism
The Community Promise Neighborhood Initiative (CPNI) began working closely with Public Elementary School 1 (PS1) at the beginning of the 2012–13 academic year. One of the immediate challenges identified was the high percentage of students that were chronically absent (i.e., the percentage of students that missed 18 or more school days during the year). The school was very focused on average daily attendance and on decreasing the number of unexcused absences. However, there was little attention paid to students that were missing large amounts of instructional time. Chronic absenteeism has been linked to low academic achievement and is often a powerful predictor of those students who may eventually drop out of school.
PS1 enlisted the assistance of CPNI to identify and mitigate the causes of chronic absenteeism by designating CPNI staff as school officials with legitimate educational interests in receiving PII from students’ education records. Under the direction of PS1, CPNI staff determined that 35.6 percent of students in preschool (ages 3 and up) through fifth grade were chronically absent during the 2012–13 school year. The situation was worse in the earliest grades, where 63.2 percent of pre-K students and 46.2 percent of kindergarten students were chronically absent.
CPNI and PS1 had to rethink how they looked at data for this project. Existing school reports focused heavily on calculating average daily attendance, truancy, and unexcused absences—but did not track chronic absenteeism. Using raw, near real-time student attendance data and historical attendance data, CPNI and PS1 classified students into three different levels: at low risk, moderate risk, or high risk for chronic absenteeism. Using these classifications, CPNI then created a distinct intervention for each population.
CPNI uses strong administrative, physical, and technical security measures to protect the privacy of the student PII it receives from PS1 and only uses student PII for approved purposes under the direction of PS1. CPNI destroys or returns any PII to PS1 after a review is completed.
CPNI measures the effectiveness of this chronic absenteeism initiative by looking at changes in the percentage of students who are chronically absent both across the entire school and in each grade level. Before the program started, 35.6 percent of PS1 students were chronically absent. After only two years in operation, the program has seen this drop to 24.4 percent of students who are now classified as chronically absent.
Page 8 of 18
Test Your Knowledge of the School Official Exception
A local community center has an after-school tutoring program for vulnerable children. In order to contact parents regarding its program, the center approaches the school, asking for the name, address, and telephone number of parents of students in the school who may benefit from the tutoring service. The school currently uses internal staff to provide after-school tutoring to its vulnerable population, and really likes the program offered by the center. The school’s leadership team decides that it would like the local community center to provide after-school tutoring to its most vulnerable students on its behalf.
May the school use the school official exception?
YES!
Yes, as long as certain conditions are met. Schools are permitted to outsource institutional services or functions that involve the disclosure of education records to contractors, consultants, volunteers, or other third parties provided that the outside party
performs a service or function for which the school would otherwise use employees;
is under the direct control of the school regarding the use and maintenance of education records;
complies with the use and re-disclosure requirements for PII from education records; and
meets the criteria specified in the school’s or LEA’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.
A nonprofit grantee of the U.S. Department of Education has developed a new reading app for middle school students it hopes will help to improve the instruction of all students nationwide. It approaches a state about having its middle school students use the app. The grantee wants to be considered a “school official” with a “legitimate educational interest” by the local schools in the state so that it may access student education records in order to evaluate the effectiveness of the software.
May the school use the school official exception?
NO!
No, the school official exception would not appear to be applicable in this example. Remember, in order for a school to disclose education records to an outside organization under the school official exception, all of the criteria for outsourcing listed above must apply to the organization. Since it is not clear that the schools would consider this to be a function that they would otherwise use their own employees to perform, the first condition is not met. However, evaluating the effectiveness of an app designed to improve instruction might be permissible under FERPA’s studies exception.
Page 9 of 18
Studies Exception
FERPA allows educational agencies or institutions to disclose PII from an education record without consent under the studies exception. Organizations conducting studies “for, or on behalf of,” schools or LEAs may have access to PII as long as it will be used for any one of the following specific purposes:
(1) developing, validating, or administering predictive tests; (2) administering student aid programs; or
(3) improving instruction.
There are a few caveats. First, organizations conducting a study, for, or on behalf of, a school or LEA, may only use PII from education records for the purpose of a study; may not permit PII to be disclosed to anyone other than their representatives with legitimate interests in the PII; must enter into written agreements with the school or LEA; and must destroy the PII when no longer needed for the purpose of the study. (See model agreement in the Tools and Resources section.) Next, the study must be conducted in a manner that doesn’t permit the personal identification of parents and students by anyone other than representatives of the organization conducting the study, and the results of the study must be published in a way that wouldn’t allow individual students and/or their parents to be identified.
Getting Started:
A Data-Sharing Agreement Checklist
First, make sure the written agreement identifies the
purpose of the study to be conducted; scope of the proposed study;
duration of the study;
information to be disclosed; and
Be sure to identify specific dates during which data can be used and when it must be returned and/or destroyed.
 data security measures required to keep the PII safe.
Second, make sure the written agreement also requires the organization to
use personally identifiable information only to meet the purpose(s) of the study;
limit access to personally identifiable information to those with legitimate interests; and
destroy all personally identifiable information when the information is no longer needed for the purpose(s) for which the study was conducted within a specified time period.
Reference and Record Requirements
See the complete reference at 34 CFR § 99.31(a)(6). FERPA requires schools, LEAs, or postsecondary institutions to record all disclosures of personally identifiable information from education records to organizations made under the studies exception (34CFR § 99.32).
Page 10 of 18
Test Your Knowledge of the Studies Exception
A guidance counselor at a local high school contacts your college seeking course and grade information on students who previously attended the high school where she works and are now enrolled at your college. The counselor goes on to say that the reason she wants the data is to evaluate the success of the college-prep and AP courses that are taught at her high school. She was assigned this research project by the principal of her high school.
May the counselor use the studies exception?
NO!
No. The studies exception within FERPA permits disclosure without consent to organizations conducting studies for, or on behalf of, the educational agency or institution that maintains the records. In this example, the study is being conducted on behalf of the high school, but it is the college that maintains the student education records that the counselor is seeking. An available option would be for the counselor to obtain written consent from each student whose record she wishes to evaluate. Assuming the number of students is large enough, you might be able to at least provide some non-identifiable summative outcome information.
Your state board of higher education wishes to enter into a written agreement with an organization to conduct a study for postsecondary institutions across the state. The study is for improving instruction and will be used to review academic programs across the state, assess education trends, and compare the successes and failures of post-secondary institutions in the state.
May the state board of higher education use the studies
exception?
YES!
Yes, FERPA permits a state educational authority, such as a state board of higher education that has the legal authority to enter into agreements for, or on behalf of, constituent institutions, to re-disclose PII from education records to an organization under the studies exception to conduct a study to improve instruction. It is the responsibility of the state educational authority to ensure that the written agreement specifies the purpose, scope, and duration of the study, as well as the PII to be disclosed. The state educational authority also must ensure the organization uses PII from education records only to meet the purpose of the study; conducts the study in a manner that does not permit identification of parents and students by anyone other than representatives of the organization with legitimate interests; and destroys all PII when it is no longer needed for the purpose for which the study was conducted.
Page 11 of 18
Audit/Evaluation Exception
FERPA allows a local or state educational authority to designate a community partner as its authorized representative and disclose PII from education records using the audit/evaluation exception. Records can be provided for two reasons: (1) to audit or evaluate a federal or state-supported education program, or (2) to enforce or comply with federal legal requirements that relate to those education programs.
What’s an education program? Any program principally engaged in providing education, including programs in early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, adult education, or any program administered by an educational agency or institution
Some things to keep in mind...
This exception applies to state and local educational authorities (SEAs and LEAs) that are considered as such under applicable law. Individual schools are not generally considered to be state or local educational authorities unless the individual school is an LEA. (This may be the case with some public charter schools.)
A checklist for drafting written agreements
designates an individual or entity as an authorized representative;
specifies what PII will be disclosed and for what purpose;
describes the activity to make clear it falls within the audit/evaluation exception;
requires an authorized representative to destroy PII upon completing the audit or evaluation and specifies the time period in which the information must be destroyed; and
establishes policies and procedures— consistent with FERPA and other federal, state, and local confidentiality and privacy laws—to protect PII from further disclosure and unauthorized use.
Make sure your partner has good privacy practices before starting a data-sharing relationship.
Community partners generally may not use this exception to audit or evaluate their own programs since the exception is designed for the audit or evaluation of federal or state-supported education programs.
An LEA must use a written agreement to designate a community partner as its authorized representative. The checklist above can assist you in developing written agreements for your program.
Finally, before an LEA discloses PII from education records to a community partner designated as an authorized representative, the LEA is required to use “reasonable methods” to ensure to the greatest extent practicable that the community-based organization uses the PII only for the authorized purpose and protects the PII from other uses.
For best practices, refer to our Guidance for Reasonable Methods and Written Agreements. Reference and Record Requirements
See the complete reference at 34 CFR §§ 99.31(a)(3) and 99.35. FERPA requires schools, LEAs, or postsecondary institutions to record all disclosures of PII from education records made under the audit/evaluation exception (34CFR§99.32).
Page 12 of 18
Test Your Knowledge of the Audit/Evaluation Exception:
Illustrating a state education agency sharing high school feedback reports
The SEA in state X participated in the Department of Education’s State Fiscal Stabilization Fund (SFSF) program. By accepting funds under the program, the SEA agreed to collect and publish various data, including those on students’ success in college (such as whether they enrolled in remedial courses). The SEA has data on state X high school graduates because it has a functioning K-12 statewide longitudinal data system (SLDS) and wants to provide its high schools with information on how their graduates were doing at the postsecondary level. To prepare the feedback reports, however, the SEA needs to match data on state X’s public high school graduates with data from state X’s public institutions of higher education (IHEs). The SEA wishes to obtain these data yearly to house in its SLDS in order to conduct an ongoing evaluation and produce annual individual high school feedback reports.
Can the SEA Use the Audit/Evaluation Exception?
YES!
Yes, the SEA may use the audit/evaluation exception because it is evaluating public high school instruction, which is considered an “education program” under FERPA. The SEA determines that state X’s higher education governing board (HEGB) has the needed information for public IHEs in state X. As described below, the SEA enters into a written agreement with the HEGB designating it as its authorized representative, allowing the SEA to send PII to the HEGB on its high school graduates. Here are the next steps:
COLLECT. The HEGB matches the SEA’s list with its data and identifies students who have enrolled in state X’s IHEs. The HEGB then sends the SEA information about those students’ enrollment and college credits earned.
SAFEGUARD. The SEA consults the Guidance for Reasonable Methods and Written Agreements and selects applicable best practices to safeguard the data. The SEA ensures to the greatest extent practicable that the HEGB will comply with FERPA and use the SEA’s information only for the purposes specified in the written agreement. The HEGB requires that the SEA destroy the HEGB’s data when it is no longer needed for the purposes of evaluating the SEA’s programs. Because the SEA will be including the HEGB’s data in the state X SLDS for use in preparing future feedback reports, the HEGB does not require the immediate destruction of the data. Upon expiration of the agreed-upon data-retention period, the HEGB requires the SEA to certify that the data obtained from the HEGB has been destroyed.
RECORD. The SEA also records its disclosure of education records to the HEGB, identifying the students whose records were disclosed and verifying that the purpose of the disclosure was to permit the SEA to evaluate its programs.
SHARE CONSISTENT WITH PRIVACY PROTECTIONS! The SEA then uses the matched data to prepare high school feedback reports, which it sends to its local educational agencies in aggregate form.
Page 13 of 18
Fpa mythbusters MYTHS
MYTH: Health Information Portability and Accountability Act (HIPAA) is the only privacy law covering health records mcaeinntatinreadlibzyeadschsoyosl.tem, such as a
statewide longitudinal data
FACT: A properly managed
MYTH: Schools are required to honor consent forms obtained by community-based organizations.
system, can often do a
MYTH:bYeotutmeurstjhoabve owrfiteten csounsreintgby a parent before you can share education data
.
privacy through a set of
for any reason.
uniform protections that
MYTH: Efforts to centralize the collection and storage of student information necessarily increase the risk of
limit the risk of
inappropriate access.
inappropriate access and
MYTH: There’s a silver bullet. Unfortunately, there is no single data-sharing model for communities to follow. There is,
by community-
use.
FACT: Many states also
however, one thing communities can to do to improve their chances for data sharing success: BUILD RELATIONSHIPS.
Studies consistently show that schools are far more likely to release data to organizations with whom they have a pre-
existing relationship and a shared goal. policies, and practices
based
organizations. chances for data-sharing success:
FACT: A “parent” may be an individual acting as a parent in the absence of a legal parent or guardian.
FACT: There is nothing in FERPA that would preclude a community-based organization from obtaining and maintaining
consent.
BUILD RELATIONSHIPS.
FACT: A “parent”
may be an
individual acting as
a parent in the
absence of a legal
parent or guardian
have their own laws,
that protect student privacy and should be
FACTS
FACT: Many states also have their own that limit the risk of inappropriate access and use laws, policies and practices fhoronored in all data-
protecting education records.to follow.
FACT: It is a best practice for schools to have written agreements or contracts with community-based organizations under
MYTH: Schools
single data-sharing model for
communities to follow. There is,
FACT: There is nothing in FERPA that would preclude a community-based organization from obtaining and maintaining consent.
MYTH: There’s a silver bullet. FACT: Unfortunately, there is no
sharing activities.
the school officialexception.
FACT: Centralized systems, such as statewide longitudinal data systems, ensure that data collection, storage, and access
meet a uniform set of protections
are required to
honor consent
FACT: Sharing group- or grade- level aggregate data can help community partners provide services tailored to student
forms obtained
however, one thing communities can to do to improve their
needs.
FACT: A properly managed centralized system, such as a statewide longitudinal data system, can often do a better job ensuring privacy through a set of uniform protections that limit the risk of inappropriate access and use.
MYTH: Efforts to centralize the collection and storage of student information necessarily increase the risk of inappropriate access.
FACT: It is a best practice for schools to have written agreements or contracts with community-based organizations under the school-official exception.
FACT: Sharing group- or grade- level aggregate data can help community partners provide services tailored to student needs.
MYTH: You must have written consent by a parent before you can share education data for any reason.
FACT: The Individuals with Disabilities Education Act (IDEA) contains several confidentiality provisions that go beyond FERPA and are specific to students with disabilities.
Page 14 of 18
Mythbusters
Now that you have an idea of the rules, let’s get you started with some tools.
Introduction to Tools...
Aprimeronintegrateddatasystems
Templates for starting your own data plans
Links to other reference materials you might find helpful to your community
Page 15 of 18
Integrated Data Systems
So, what’s an integrated data system or “IDS”?
You’ve probably heard the saying “the right hand doesn’t know what the left hand is doing.” We’ve all worked as part of an organization— or even a group of organizations— with a common goal but not common information. What if you could ensure both hands had access to the same information all while ensuring student privacy? Guess what? YOU CAN!
Integrated data systems link data from multiple organizations in a secured, controlled environment, to allow you and your community partners to access the same information for case management, evaluation, and shared performance management.
Examples of common goal categories
Education Health Mental Health Financial Housing Juvenile Justice
Getting started is easier than you may think ...
There are an increasing number of organizations using integrated data systems. Research indicates that these systems can save money and offer a host of features that can effectively support data-driven decision making. Features may include reporting tools, service tracking, electronic referrals, assessment integration, release-of- information forms, researcher access, and built-in privacy protections.
Do IDS users need to pay attention to FERPA?
Stay Up to Date!
Sign up for regular updates on http://ptac.ed.gov to receive updated guidance, including anticipated guidance on Integrated Data Systems.
Yes, there are two stages at which it is critical to understand FERPA compliance and best practices when using an IDS: (1) becoming an IDS partner and contributing data to an established collaborative of organizations and (2) approving specific uses of integrated data from the IDS for research and evaluation purposes. It’s also important to remember that there are laws and policies regulating data collection and data sharing at each level of government that must be understood and followed.
Use of an integrated data system doesn’t guarantee compliance with existing privacy laws.
No matter what type of IDS system you decide to use or when you decide to use one, be sure all shared PII from education records is based on consent, or meets an exception. Keep in mind that other types of data, such as employment, health, and housing data, may have additional privacy protections. There are a number of existing resources to help you ensure data security, such as those in Chapter 6 of this guide from the Urban Institute. Email the U.S. Department of Education’s Privacy Technical Assistance Center for assistance with specific IDS questions.
Page 16 of 18
Integrated Data Systems
Good news!
We’ve created a few resources to get you started.
Templates
Sample Memorandum of Understanding
Sample Consent Form
Model Notification of Rights for Elementary and Secondary Schools
Model Notification of Rights for Postsecondary Schools
Model Notice for Directory Information
Reference Materials
Data Drives School-Community Collaboration: Seven Principles for Effective Data Sharing (Strive Together and the Data Quality Campaign)
State-by-State Security Laws: State-by-State Summary Table (The Data Quality Campaign)
Measuring Performance: A Guidance Document for Promise Neighborhoods on Collecting Data and Reporting Results (Urban Institute)
“Interagency Data Disclosure: A Tip Sheet on Interagency Collaboration Helping Homeless Students” (U.S. Department of Education)
Joint Guidance on the Application of FERPA and HIPAA to Student Health Records (U.S. departments of Education and Health and Human Services)
Page 17 of 18
RESOURCES
Now let’s begin!
Contact us for additional information.
For more information about FERPA, please visit the Department’s Family Policy Compliance Office (FPCO) resource website:
http://familypolicy.ed.gov
For resources on best practices for ensuring the confidentiality and security of personally identifiable information and promoting FERPA compliance, please visit the Department’s Privacy Technical Assistance Center (PTAC) website:
http://ptac.ed.gov
Email — PrivacyTA@ed.gov | Toll-Free Phone — (855) 249-3072
Page 18 of 18
|