Future&of&Privacy&Forum& July&2015&

Transcription

1

2 De#Identification-and-Student-Data- Understanding-De#Identification-of-Education-Records-and-Related-Requirements-of-FERPA- - Appropriateandwell/designedstudentdatausebyschools,families,researchers,andservice providers,greatlyenhancesteachingandlearning.newtechnologieslinkedtohighcapacity broadbandnetworksoffereducatorsandotherstakeholdersaccesstopowerfulanalyticaltools, richdata,anddynamicdigitalresources,whichcanimprovestudentoutcomesandinform importanteducationpolicyreforms.thesetechnologyadvancements,however,alsoinvitenew risksforexposingpersonallyidentifiablestudentdatatounauthorizeddisclosures,misuse,and abuse.inordertoreaptechnology sbenefitswithoutencounteringthesepitfalls,educational agenciesandinstitutions,andtheiroutsidepartners,mustdevelopandimplementmore effectivestrategiesandtoolsforpromotingstudents privacyandconfidentiality. Datade/identificationrepresentsoneprivacyprotectionstrategythatshouldbeineverystudent dataholder splaybook.integratedwithotherrobustprivacyandsecurityprotections, appropriatede/identification choosingthebestde/identificationtechniquebasedonagiven datadisclosurepurposeandrisklevel providesapathwayforprotectingstudentprivacy withoutcompromisingdata svalue.thispaperprovidesahighlevelintroductionto:(1) educationrecordsde/identificationtechniques;and(2)exploresthefamilyeducationalrights andprivacyact s(ferpa)applicationtode/identifiededucationrecords. 1 Thepaperalsoexplores howadvancesinmathematicalandstatisticaltechniques,computationalpower,andinternet connectivitymaybemakingde/identificationofstudentdatamorechallengingandthusraising potentialquestionsaboutferpa slong/standingpermissivestructureforsharingnon/personally identifiableinformation. The-Three#Legged-Stool-of-De#Identification:-Personally-Identifiable-Information,-De# identification-strategies,-and-data-sharing-purposes-&-disclosure-risk-assessment-- Datade/identificationisatechnicallyandlegallycomplexissuewithspecialnuancesacross industriesandareasoflaw.thispapernarrowlyexaminestheissuefromtheperspectiveof educationrecordsandferpa.theu.s.departmentofeducation sprivacyandtechnical AssistanceCenter(PTAC)definesde/identificationasthe processofremovingorobscuringany personallyidentifiableinformationfromstudentrecordsinawaythatminimizestheriskof unintendeddisclosureoftheidentityofindividualsandinformationaboutthem. 2 UnderstandingPTAC sdefinitioniscriticaltocomplyingwithferpaandensuringadherenceto de/identificationbestpractice.withthatgoalinmind,thissectionintroducesthreecorestudent datade/identificationconceptsdrawnfromptac sdefinitionandferpa(lawandregulations): personallyidentifiableinformation(pii);de/identificationprocesses;disclosurepurposeandrisk assessment. 1 FamilyEducationalRightsandPrivacyAct,20U.S.C.1232g. 2 DataDe&identification:AnOverviewofBasicTerms.U.S.DepartmentofEducationPrivacyTechnicalAssistanceCenter,PTAC/GL, Oct2012(updatedMay2013).&& & 1

3 PersonallyIdentifiableInformation Educationalagenciesandinstitutions,andtheirpartners,usede/identificationtoseveror obscureconnectionsbetweenusefuleducationdataand personallyidentifiabledata. FERPA s sharingprohibitionsandrequirements(exploredlaterinthepaper)onlyapplytopii.inother words,non/personallyidentifiableinformationmaybesharedandretainedwithoutrestriction (withanarrowexceptionrelatedtode/identifieddataconnectedtoarecordlocator).asaresult, understandingthelaw sdefinitionofpiiiscriticaltomakingdeterminationsabouthowstudent datamaybeused,when,andbywhom.underferpa,piiincludes,butisnotlimitedto: a) Thestudent sname b) Thenameofthestudent sparentorotherfamilymembers; c) Theaddressofthestudentorstudent sfamily; d) Apersonalidentifier,suchasthestudent ssocialsecuritynumber,studentnumber,or biometricrecord; e) Otherindirectidentifiers,suchasthestudent sdateofbirth,placeofbirth,andmother s maidenname; f) Otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudent thatwouldallowareasonablepersonintheschoolcommunity,whodoesnothave knowledgeoftherelevantcircumstances,toidentifythestudentwithreasonable certainty;or g) Informationrequestedbyapersonwhotheeducationalagencyorinstitutionreasonably believesknowstheidentityofthestudenttowhomtheeducationrecordrelates. 3 Educationalagenciesorinstitutions,andpartnerentities,suchastechnologyvendors, communitybasedorganizations,orresearchers,interestedinusingde/identificationasaprivacy protectionstrategy,mustpayparticularattentiontothedefinition sinclusionof indirect identifiers and otherinformation. Datade/identificationtechniquesareusedtoremovethe directidentifiersdescribedabove,aswellasindirectidentifiersandotherinformation,whichif leftunaddressed,couldbeusedtoidentifyindividualstudents.otherexamplesofindirect identifiersincluderace,religion,weight,activities,employmentinformation,medical information,educationinformation,andfinancialinformation. 4 DataDe&IdentificationTechniques Datade/identification removingorobscuringpii/beginswitheliminatingalldirectstudent identifiersfromaneducationrecord,buteducationagenciesandinstitutions,andotherdata holders,musttakefurtherstepstoensurethatindirectidentifiersorotherinformationdonot enableanunauthorizedactorfromdeterminingastudent sidentity.thesefurtherstepsinvolve usingsophisticatedmathematicalandstatisticalde/identificationtechniques,including 3 &FERPA,10U.S.C.1232g;34CFR 99.3.& 4 SeePrivacyandTechnicalAssistanceOnlineGlossary:& & 2

4 leveragingtechnologytoensurethemethodsareaccuratelyandcomprehensivelyappliedacross largeandcomplexdatasets.selectionofanappropriatede/identificationstrategywillvarybased onspecificcontext,includingwhetheritwillbeappliedtoindividualleveldata(information collectedandrecordedseparatelyforeachstudent)oraggregatedata(datacombinedfrom severalmeasurements).theformerrequiresmuchmorerobustprotections. TheU.S.DepartmentofEducation sptacprovideshelpfulguidancematerials,includingcase studies,thatprovidedetailedinformationaboutde/identificationapproaches, 5 butcommon methodsincludethefollowingstrategies. 6 SeeAddendumAforhighlevelexamplesofeach technique. Blurring- Reducingtheprecisionof discloseddatatominimize thecertaintyofindividual identification.forexample convertingcontinuousdata elementsintocategorical elementsthatsubsume uniquecases. Perturbation- Makingsmallchangesto thedatatoprevent identificationofindividuals fromuniqueorrare populationgroups.for example,swappingdata amongindividualcellsto introduceuncertainty. Suppression- Removingdata,for examplefromacellorrow, topreventthe identificationofindividuals insmallgroupsorthose withuniquecharacteristics. Usuallyrequires suppressionofnon/ sensitivedata. SharingPurpose&PIIDisclosureRiskassessment Educationalagenciesandinstitutionsplanningtousede/identificationtechniquestoenable unconsenteddatasharing ininstanceswhenaferpadisclosureexceptiondoesnotapply/ mustmakea reasonabledeterminationthatthestudent sidentityisnotpersonallyidentifiable becauseofuniquepatternsofinformationaboutthestudentwhetherthroughsingleormultiple releases,andtakingintoaccountotherreasonablyavailableinformation. 7 Thestandardfor makingthisdeterminationisdiscussedlaterinthepaper,butneitherferpa,northeu.s. DepartmentofEducation sferparegulations,providea safeharbor listingspecificstepsthat leadtoappropriatede/identification.instead,federalpolicyprovidesastandardformakingcase/ by/casejudgmentsofpiidisclosureriskattheeducationalagency,institution,orapprovedparty level. 8 Thiscase/by/caseapproachmeansthatthelistofindirectidentifiersthatmustbe removedorobscuredtoachieveappropriatede/identificationwilllikelyvarybycircumstance. 5&PrivacyandTechnicalAssistanceCenter: PTAC/FAQ/2,October2012(updatedMay2013),DataDe&identification:AnOverviewofBasicTerms,PTAC/GL,Oct2012(updated May2013),CaseStudy#5:MinimizingAccesstoPII:BetPracticesforAccessControlsandDisclosureAvoidanceTechniques,PTAC/ CS/5,October2012.& 6&Seealso,FederalCommitteeonStatisticalMethodology sstatisticalpolicyworkingpaper22reportonstatisticaldisclosure LimitationMethodology,(73Fed.Reg.74806/35,Dec9,2008). 7 73FR73833,December9,2008.& 8 73FR74834,December9,2008. & 3

5 Selectinganappropriatede/identificationmethoddependsinpartonexaminingtheplanned datasharingpurpose.thedatasharingpurposeandde/identificationstrategymustbe compatible. 9 Forexample,researchersinterestedinexaminingstudents performanceovertime mightrequireaccesstodetailed,accurateacademicinformationspanningseveralyears(limiting useofde/identificationtechniquesthatdiminishadata svalidity).researchersstudyinga studentcohort sgrowthtowardastate scollegeandcareerreadystandardsusingaspecific pedagogy,forexample,wouldnotbeabletousedatade/identifiedusingatechniquethatlimits thedata sreliabilityandvalidity.(alternatively,thistypeoflongitudinalresearchmightbe conductedusingde/identifieddatalinkedtoarecordlocatortoenabletheoriginating educationalagencyorinstitutiontoprovidede/identifieddataforthesamestudentsovertime. Useofsuchalocatordoesnotrenderthedata personallyidentifiable underferpa,butitdoes triggerspecialrequirements.)conversely,datasharedforpurposesthatrequirelessdata precisionandaccuracy,suchassoftwaretrainingortechnologyresearchanddevelopment,could usemuchmoreaggressivede/identificationstrategies,suchasusingtechniquesthatreplace sensitiveinformationwithinauthenticormodifieddata. Pleasenote,usingde/identificationtechniquesasaprivacytooldoesnotalwaysinvolve removingallpii,butinsituationswhenpiiremainspartofagivendataset(i.e.wherethedata hasnotbeencompletelyde/identified),unconsentedsharingmayonlyoccurwithconsentor consistentwithanappropriateferpaexception.forexample,aneducationalagencyor institutionsharingpiiunderaqualifiedferpaexceptionmaywishtousede/identification techniquestominimizepiireleasedtoanoutsideentity,eventhoughtheymaylawfullysharea rangeofstudentlevelinformation.tobemorespecific,aresearchermightconductastudythat requiresadiscretelistofindirectidentifiersthattogethercouldleadtothestudent s identification,suchasastudent sage,raceandfamilyfinancialinformation,butnotrequiring otherpiifoundinthesameeducationrecords.insuchaninstance,thesethreepiecesof personallyidentifiablestudentdata andotherinformationattachedthem/wouldremain subjecttoferpa sdisclosurelimitationsandotherrequirements,butde/identification techniques(e.g.,suppression)couldprovideadditionalprotectionforthestudentbyremoving data,forexamplefromacellorrow,unnecessarytothestudy.researcherslawfullyusingpiiin thiscontextandothercases,however,mustcompletelyde/identifyanyreportorother informationbeforereleasingittothepublicorotherparties,includingotherresearchers. 10 Entitiesplanningtousede/identificationtechniquesmustmitigatetheriskofexposingthe identityofindividualstudents.therefore,afterexaminingtherequirementsofagivendata sharingpurpose,educationdataholdersmustalsoassesstherisksassociatedwiththeirplanned disclosure,includingconsideringpastdatareleases(theriskofre/identificationiscumulative), samplesize,thenatureofthedatarecipient, 11 whetherthedatawillbefurthersharedormade 9&DataDe&identification:AnOverviewofBasicTerms.U.S.DepartmentofEducationPrivacyTechnicalAssistanceCenter,PTAC/GL, Oct2012(updatedMay2013),p.4.& 10 73FR74834,December9, TheDepartmentofEducationhassaid thereisnostatutoryauthorityinferpatomodifytheprohibitionondisclosureof personallyidentifiableinformationfromeducationrecords,ortheexceptionstothewrittenconsentrequirement,basedonthe trackrecordoftheparty,includingjournalistsandresearchers,inmaintainingtheconfidentialityofinformationfromeducation & 4

6 public,andothercontextualconditions. 12 Moreaggressivede/identificationstrategiesare requiredinsituationswhenthestudentdataispotentiallyatgreaterriskofre/identification. Forexample,de/identifieddatasharedforaspecificpurposewithatrustedpublicorprivate entitysuchasastatedepartmentofeducation,institutionofhighereducation,orprofessional vendorwithstrictlegalandcontractprotections(e.g.,anagreementwithstrictre/disclosure limitations),mightbelesslikelytobewidelyavailablelater(decreasingthere/identification threatassociatedwithcumulativedatareleases),comparedforexampletoannualschoolor districtperformancedataposteddirectlytoapublicwebsitetocomplywithfederalandstate accountabilityrequirements.whyisgreaterpublicavailabilityofaproperlyde/identifieddataset apotentialproblem?insomecases,de/identifieddatamightbesubjecttonefarious comparisonswithotherdatasets(e.g.,withwidelyavailablestudent directoryinformation )or otherattemptstorevealpii.whendataentersthepublicdomain,itcouldbeexposedtocutting/ edgetoolsandtechniquesdesignedtocomparethede/identifieddatatootherpubliclyavailable datasetsandthusrevealastudents identity(theferpaimplicationsofsuchabreakthroughare discussedfurtherbelow). Althoughexpertsdisagreeabouttheextenttowhichnewtechnologiesandtechniquescan back map de/identifieddatatorevealastudent sidentity,aseriousstatisticalanalysisthatensures alldirectandindirectidentifiershavebeenremovedcanbeperformedtoensureanyre/ identificationriskisremote. Inshort,prudentstudentdataholdersshouldconsiderusing inlightofnewdataminingand comparisontechniquesthatmightbemoreeffectivethaniscommonlyaccepted themost aggressivede/identificationstrategiespossiblewhendatawillbemadepublicorsharedwidely. WhendataissharedwithlimitedrestrictedpartiesunderstrongcontrolsandunderaFERP exception,acombinationoftechnical,administrativeandcontractualcontrolswillbe appropriateforreasonablede/identificationmeasuresthatmaypreservegreaterutilityofthe data. Application-of-FERPA-to-De#Identified-Records-- Asageneralrule,FERPAprohibitsthedisclosureofeducationrecordscontainingpersonally identifiablestudentdatawithoutparentoreligiblestudentconsent. 13 Therefore,thereleaseof educationrecordsthathavebeenappropriatelyde/identified purgedofdirectandallnecessary indirectidentifiersinagivencontext/isnotconsidereda disclosure underferpa,sinceby definitionsuchrecordsdonotcontainpii. 14 Properlyde/identifiedstudentdatathusmaybe sharedwithoutlimitationunderferpa(althoughotherfederalandstateprivacylawsmay apply).furthermore, de/identifiedinformationfromeducationrecordsisnotsubjecttoany &&&&&&&&&&&&& recordsthattheyhavereceived. (73FR74834).Nonetheless,therecipients identityshouldlikelybeconsideredamongother variablesineachriskassessment. 12 FrequentlyAskedQuestions DisclosureAvoidance,p.4,PTAC/FAQ/2,Oct2012(updatedMay2013).p.2/3& 13 20U.S.C.1232g(b)(1) 14 34CFR99.31(b)(1) & 5

7 destructionrequirementsbecause,bydefinition,itisnot personallyidentifiableinformation. 15 TheDepartmenthassaid,however,apartyreleasingde/identifiedstudentdatamightmitigate risksassociatedwithfuturedatareleasesbyindependentlyrequiringdatadestructioninsome circumstances. 16 Thereisoneimportantexception,however,toFERPA sunconsentedsharingexceptionforde/ identifieddata.de/identifieddatacoupledwitharecordcodeorlocatorbyaneducational agencyorinstitution allowingittobematchedlatertotherecordsource/mayonlybeshared foreducationresearch.althoughthedepartment sregulationsandguidancedonotspecifically discussthequestion,itappearsthateducationalagenciesorinstitutionsmayselectanyqualified thirdpartytoconductresearchunderthisprovision,butallsecondary(non/research)usesofde/ identifieddatawitharecordlocatorareprohibited.furthermore,thedatasharingentitymay notdiscloseinformationabouthowitgeneratedandassignedtherecordcode,orother informationthatmightallowadatarecipienttoidentifyastudentbasedontherecordcode. Lastly,therecordcodemustnotbebasedonastudent ssocialsecuritynumberorother personalinformation. 17 Suchadatasetremainscategorizedas de/identified, andmaythusbe sharedwithoutparentoreligiblestudentconsent,butunlikeotherde/identifieddataitmayonly besharedfortheresearchpurposespecifiedtotheeducationalagencyorinstitution,consistent withtheotherrequirementsdescribedabove. Beforesuchdatasharingcanoccur,however,theeducationrecordmustbeproperlyde/ identified.asreferencedabove,the releasingpartyisresponsibleforconductingitsown analysisandidentifyingthebestmethodstoprotecttheconfidentialityofinformationfrom educationrecordsitchoosestorelease. 18 ThisdeterminationdependsonFERPA sdisclosure riskassessmentstandard.thisstandardaskswhethera reasonablepersonintheschool communitywhodoesnothavepersonalknowledgeoftherelevantcircumstances couldusethe releaseddata,andotherpubliclyavailabledata,toidentifyanindividualstudentwith reasonablecertainty. 19 Thisstandardextendstopossibledataholdersbeyondtheliteralschool community. TheDepartmentofEducationdoesnotrequireeducationalagenciesandinstitutionstouse specificdatadisclosureavoidancetechniquestoachievethisstandard,andstatedinarecent rulemaking, itisnotpossibletoprescribeoridentifyasinglemethodtominimizetheriskof disclosingpersonallyidentifiableinformationthatwillapplyineverycircumstance 20 The Departmenthasalsosaid determiningwhetheraparticularsetofmethodsforde/identifying dataandlimitingdisclosureriskisadequatecannotbemadewithoutexaminingtheunderlying datasets,otherdatathathavebeenreleased,publiclyavailabledirectoriesandotherdatathat arelinkedorlinkabletotheinformationinquestions. 21 Inotherwords,thepartyreleasingdata 15&73FR15585,March24,2008& 16&73FR74835,December9,2008& 17 34CFR99.31(b)(2)(i)/(iii) FR74835,December9, CFR 99.3,34CFR 99.31(b)(1) 20 73FR74835,December9, Ibidat74835& & 6

8 mustperformacontextspecificanalysisandidentifythebestmethodforprotectingstudent informationsubjecttodisclosures.properapplicationoftheacceptedmathematicaland statisticalde/identificationstrategiesdescribedearlierinthepapermeetthislegalstandardin manyinstances,butbylaweachsharingcontextmustbeindependentlyanalyzedagainstthe Department sreasonablenessstandard. 22 Someexpertshavearguedthatgivenrecentcaseswhereresearchershaveleveragedaccessto otherpubliclyavailabledatasetstoidentifyspecificindividuals,absolutedatade/identification maybeimpossible,orataminimum,increasinglydifficult. 23 Inlightofthisuncertainty,data sharingpartiesshouldverycarefullyanalyzeeachproposeddisclosureofde/identifieddata againstferpa sreasonablenessstandardandalsoconsiderusingcontractsthatspecify protections aboveandbeyondferpa/thatcouldfurtherminimizetheriskofre/identification. De#Identified-Data:-Retention-and-Destruction- FERPApermitsthirdpartydataholders,includingvendors,toretainanduseappropriatelyde/ identifieddata solongasitisnotassociatedwitharecordlocator/foranysecondarypurpose. Furthermore,FERPAdoesnotdescribehowde/identifieddatashouldbemanaged,including,as describedabove,whenandhowthedatashouldbedestroyed.vendorsandotherthirdparty holdersmust,however,ensurethatagivende/identifieddatasetisnotsubjecttorelevant contractterms,orotherfederal,state,andlocalprivacylawsandregulations,whichmight containmorestringentdataretentionordestructionrequirements. 24 Forexample,personaldata subjecttothechildren sonlineprivacyprotectionactmayonlyberetainedsolongasis necessarytofulfillthepurposeforwhichitwascollected,andcoppacoveredentitiesmust deletetheinformationusingreasonablemeasurestoprotectagainstitsunauthorizedaccessor use. 25 AlthoughFERPAdoesnotgoverntheuse,retentionanddestructionofproperlyde/identified data,thirdpartiesshouldhavesoundpolicies guidedbynationalinstituteofstandardsand TechnologyorPTACbestpracticerecommendations/addressingtheseissues.Thisinternal, independentstepincludesensuringthatde/identifieddataisdestroyedwhenitisnolonger needed,inordertominimizere/identificationrisksassociatedwithpossiblefutureeffortsto compareandlinkthedatawithotherdatasets.dataholdersmustalsoensurethattheytake properactionstodestroydata.simplydeletingdataisnotsufficientinmostcasesandptac s datadestructionbestpracticesprovidehelpfulguidance.ptacrecommendsthatdataholders makerisk/baseddecisionsonwhich[destruction]method/[e.g.clearing,purging,ordestroying data]/ismostappropriatebasedonthedatatype,riskofdisclosure,andtheimpactifthatdata weretobedisclosedwithoutauthorization. 26 Thedatade/identificationmethodusedtoremove 22 34CFR99.31.(b)(1).Seealso,PTACFrequentlyAskedQuestions DisclosureAvoidance,p.4,PTAC/FAQ/2,Oct2012(updated May2013). 23 BrokenPromisesofPrivacy:RespondingtotheSurprisingFailureofAnonymization,PaulOhm,UniversityofColoradoLaw School,UCLALawReview,Vol.57,p.1701, PrivacyandTechnicalAssistanceCenter,BestPracticesforDataDestruction,p.5,PTAC/IB/5,May C.F.R PTACBestPracticesforDataDestruction,p.5. & 7

9 PIIfromadatasetshouldbeacentralfactorinmakingthisdetermination.Dataholdersseeking additionalguidanceonproperdestructionstrategiesshouldconsultrecommendationsmadeby thenationalinstituteofstandardsandtechnologyandotherexpertsources. 27 Conclusion- De/identificationoffersanimportanttoolforeducationalagencies,institutionsandtheir partnersseekingtomaximizestudentdata spotentialvaluetoimprovingteachingandlearning, whilealsocarefullyprotectingstudentprivacyandconfidentiality.properdatade/identification requires,however,deeptechnicalknowledgeandexpertiseandadherencetoindustrybest practice.therefore,studentdataholdersshouldnotattempttode/identifystudentdatasets withoutcompetentsupport.theyshouldalsoconsultcompetentlegalcounseltoensurethat theirdatamanagementpoliciesandpractices includingde/identificationstrategies/comply withferpaandallotherrelevantfederal,state,andlocallawsandrequirementspotentially applicabletothedatatheymanage. 27 NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800/88Rev.1:GuidelinesforMediaSanitization. December2014. & & 8

10 IllustrationofCommonDe1IdentificationMeasuresinAggregateDataSets Joan sdirectoridentifiers StudentName:JoanSmith StudentsParents:JohnSmith&JackieSmith Address: th Street,Washington,D.C. StudentNumber:4444 SocialSecurityNumber:555C555C555 Joan sindirectidentifiers DataofBirth:11/01/2000 Race:AlaskaNative Gender:Female PlaceofBirth:Washington,D.C. FamilyIncome:$85,000 GPA:3.75 AllDirectIdentifiersRemoved Joan sindirectidentifiers DataofBirth:2000 Race:UniqueCharacteristicRemoved Gender:Female Mother smaidenname:unique CharacteristicRemoved PlaceofBirth:MidCAtlantic FamilyIncome:$50,000C$100,000 GPA: Mike sindirectidentifiers DataofBirth:1999 Race:UniqueCharacteristicRemoved Gender:Female Mother smaidenname:unique CharacteristicRemoved PlaceofBirth:Midwest FamilyIncome:$50,000C$100,000 GPA: Joan sindirectidentifiers DataofBirth:2000 Race:UniqueCharacteristicRemoved Gender:Male Mother smaidenname:uniquecharacteristic Removed PlaceofBirth:Northeast FamilyIncome:$50,000C$100,000 GPA: AllDirect Identifiers Removed Joan sindirectidentifiers DataofBirth:11/01/2000 Race:AlaskaNative Gender:Female PlaceofBirth:Washington,D.C. FamilyIncome:$85,000 GPA:3.75 AllDirect Identifiers Removed Joan sindirectidentifiers DataofBirth:2000 Race:Minority Gender:Female Mother smaidenname:johnson PlaceofBirth:MidCAtlantic FamilyIncome:$50,000C$100,000 GPA: Raw$Individual$Student$Data$in$Aggregate$Data$Table$ Redacted$Individual$Student$Level$Data$in$ Aggregate$Data$Table$ $ Blurring$(Reducing$Data$Precision$including$$ Using$Broader$Categories)$ $ Suppression$(Removing$Data$from$a$Cell$or$Row)$ Perturbation$(Small$Data$Changes,$including$through$$ Swapping$Data$among$Cells)$ $$