Future&of&Privacy&Forum& July&2015&

Similar documents
Foster Care/Texas State Adoption Frequently Asked Questions

COLLECTION, USE, AND DISCLOSURE LIMITATION

Sample Business Associate Agreement Provisions

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

ENROLLMENT DATA SHARING AGREEMENT Between «Institution» and the Minnesota Office of Higher Education

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

Privacy Impact Assessment

FERPA Compliance: Using Student Data in the AEFIS Solution Platform

BUSINESS ASSOCIATE AGREEMENT

School based budgeting and management. Question: Response:

SOUTH DAKOTA DEPARTMENT OF EDUCATION

Ausgrid Privacy Policy

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

Degrees of De-identification of Clinical Research Data

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS

HIPAA Privacy Rule Primer for the College or University Administrator

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT

Memorandum. Factual Background

Connecticut s P20 WIN Data Governance Manual

BUSINESS ASSOCIATE AGREEMENT

MICHIGAN INDIAN ELDERS ASSOCIATION

This Instruction implements Department of Homeland Security (DHS) Directive , Privacy Policy for Operational Use of Social Media.

THE CENTER FOR GLOBAL EDUCATION & CITIZENSHIP

DATA USE AGREEMENT Minnesota Hospital Association

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Communicating with a Patient s Family, Friends, or Others Involved in the Patient s Care

Family Educational Rights and Privacy Act (FERPA) Final Rule 34 CFR Part 99. Section-by-Section Analysis December 2008

Centralized vs. Federated:

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

SJUSD Retiree Transition Frequently Asked Questions

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA, WESTERN DIVISION

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

BUSINESS ASSOCIATE ADDENDUM

Plaintiff, the Consumer Financial Protection Bureau ( CFPB or Bureau ),

Guidance on De-identification of Protected Health Information November 26, 2012.

Family Educational Rights Privacy (FERPA) Act

What is Covered by HIPAA at VCU?

South Dakota Parental Rights and Procedural Safeguards

MEMORANDUM. I. Accurate Framing of Communications Privacy Policy Should Acknowledge Full Range of Threats to Consumer Privacy

Revision to the Executive Director for Health Care Policy and Financing Rule Concerning the All-Payers Claims Database, Section 1.

Testimony. before the. National Committee on Vital and Health Statistics Ad Hoc Workgroup for Secondary Uses of Health Data

PRIVACY POLICY. Last Revised: June 23, About this Privacy Policy.

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

SaaS. Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

[ p] DEPARTMENT OF THE TREASURY Internal Revenue Service 26 CFR Parts 1 and 301 [REG ] RIN 1545-BG76

HIPAA BUSINESS ASSOCIATE AGREEMENT

Before the FEDERAL TRADE COMMISSION Washington, DC In re Maricopa Community College District

Computer Security (EDA263 / DIT 641)

ENVIRONMENTAL PROTECTION AGENCY. 40 CFR Part 70. [EPA-R02-OAR ; FRL Region 2]

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

BUSINESS ASSOCIATE AGREEMENT. Recitals

Minnesota s Statewide Longitudinal Education Data System (SLEDS) Data Access & Management Policy

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

Submitted via the Federal e Rulemaking Portal at

STATE OF WISCONSIN Department of Safety and Professional Services

THE GRAMM-LEACH-BLILEY ACT FOR INDEPENDENT SCHOOLS

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Transcription:

De#Identification-and-Student-Data- Understanding-De#Identification-of-Education-Records-and-Related-Requirements-of-FERPA- - Appropriateandwell/designedstudentdatausebyschools,families,researchers,andservice providers,greatlyenhancesteachingandlearning.newtechnologieslinkedtohighcapacity broadbandnetworksoffereducatorsandotherstakeholdersaccesstopowerfulanalyticaltools, richdata,anddynamicdigitalresources,whichcanimprovestudentoutcomesandinform importanteducationpolicyreforms.thesetechnologyadvancements,however,alsoinvitenew risksforexposingpersonallyidentifiablestudentdatatounauthorizeddisclosures,misuse,and abuse.inordertoreaptechnology sbenefitswithoutencounteringthesepitfalls,educational agenciesandinstitutions,andtheiroutsidepartners,mustdevelopandimplementmore effectivestrategiesandtoolsforpromotingstudents privacyandconfidentiality. Datade/identificationrepresentsoneprivacyprotectionstrategythatshouldbeineverystudent dataholder splaybook.integratedwithotherrobustprivacyandsecurityprotections, appropriatede/identification choosingthebestde/identificationtechniquebasedonagiven datadisclosurepurposeandrisklevel providesapathwayforprotectingstudentprivacy withoutcompromisingdata svalue.thispaperprovidesahighlevelintroductionto:(1) educationrecordsde/identificationtechniques;and(2)exploresthefamilyeducationalrights andprivacyact s(ferpa)applicationtode/identifiededucationrecords. 1 Thepaperalsoexplores howadvancesinmathematicalandstatisticaltechniques,computationalpower,andinternet connectivitymaybemakingde/identificationofstudentdatamorechallengingandthusraising potentialquestionsaboutferpa slong/standingpermissivestructureforsharingnon/personally identifiableinformation. The-Three#Legged-Stool-of-De#Identification:-Personally-Identifiable-Information,-De# identification-strategies,-and-data-sharing-purposes-&-disclosure-risk-assessment-- Datade/identificationisatechnicallyandlegallycomplexissuewithspecialnuancesacross industriesandareasoflaw.thispapernarrowlyexaminestheissuefromtheperspectiveof educationrecordsandferpa.theu.s.departmentofeducation sprivacyandtechnical AssistanceCenter(PTAC)definesde/identificationasthe processofremovingorobscuringany personallyidentifiableinformationfromstudentrecordsinawaythatminimizestheriskof unintendeddisclosureoftheidentityofindividualsandinformationaboutthem. 2 UnderstandingPTAC sdefinitioniscriticaltocomplyingwithferpaandensuringadherenceto de/identificationbestpractice.withthatgoalinmind,thissectionintroducesthreecorestudent datade/identificationconceptsdrawnfromptac sdefinitionandferpa(lawandregulations): personallyidentifiableinformation(pii);de/identificationprocesses;disclosurepurposeandrisk assessment. 1 FamilyEducationalRightsandPrivacyAct,20U.S.C.1232g. 2 DataDe&identification:AnOverviewofBasicTerms.U.S.DepartmentofEducationPrivacyTechnicalAssistanceCenter,PTAC/GL, Oct2012(updatedMay2013).&& & 1

PersonallyIdentifiableInformation Educationalagenciesandinstitutions,andtheirpartners,usede/identificationtoseveror obscureconnectionsbetweenusefuleducationdataand personallyidentifiabledata. FERPA s sharingprohibitionsandrequirements(exploredlaterinthepaper)onlyapplytopii.inother words,non/personallyidentifiableinformationmaybesharedandretainedwithoutrestriction (withanarrowexceptionrelatedtode/identifieddataconnectedtoarecordlocator).asaresult, understandingthelaw sdefinitionofpiiiscriticaltomakingdeterminationsabouthowstudent datamaybeused,when,andbywhom.underferpa,piiincludes,butisnotlimitedto: a) Thestudent sname b) Thenameofthestudent sparentorotherfamilymembers; c) Theaddressofthestudentorstudent sfamily; d) Apersonalidentifier,suchasthestudent ssocialsecuritynumber,studentnumber,or biometricrecord; e) Otherindirectidentifiers,suchasthestudent sdateofbirth,placeofbirth,andmother s maidenname; f) Otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudent thatwouldallowareasonablepersonintheschoolcommunity,whodoesnothave knowledgeoftherelevantcircumstances,toidentifythestudentwithreasonable certainty;or g) Informationrequestedbyapersonwhotheeducationalagencyorinstitutionreasonably believesknowstheidentityofthestudenttowhomtheeducationrecordrelates. 3 Educationalagenciesorinstitutions,andpartnerentities,suchastechnologyvendors, communitybasedorganizations,orresearchers,interestedinusingde/identificationasaprivacy protectionstrategy,mustpayparticularattentiontothedefinition sinclusionof indirect identifiers and otherinformation. Datade/identificationtechniquesareusedtoremovethe directidentifiersdescribedabove,aswellasindirectidentifiersandotherinformation,whichif leftunaddressed,couldbeusedtoidentifyindividualstudents.otherexamplesofindirect identifiersincluderace,religion,weight,activities,employmentinformation,medical information,educationinformation,andfinancialinformation. 4 DataDe&IdentificationTechniques Datade/identification removingorobscuringpii/beginswitheliminatingalldirectstudent identifiersfromaneducationrecord,buteducationagenciesandinstitutions,andotherdata holders,musttakefurtherstepstoensurethatindirectidentifiersorotherinformationdonot enableanunauthorizedactorfromdeterminingastudent sidentity.thesefurtherstepsinvolve usingsophisticatedmathematicalandstatisticalde/identificationtechniques,including 3 &FERPA,10U.S.C.1232g;34CFR 99.3.& 4 SeePrivacyandTechnicalAssistanceOnlineGlossary:&http://ptac.ed.gov/glossary.Lastvisited,April12,2015.& & 2

leveragingtechnologytoensurethemethodsareaccuratelyandcomprehensivelyappliedacross largeandcomplexdatasets.selectionofanappropriatede/identificationstrategywillvarybased onspecificcontext,includingwhetheritwillbeappliedtoindividualleveldata(information collectedandrecordedseparatelyforeachstudent)oraggregatedata(datacombinedfrom severalmeasurements).theformerrequiresmuchmorerobustprotections. TheU.S.DepartmentofEducation sptacprovideshelpfulguidancematerials,includingcase studies,thatprovidedetailedinformationaboutde/identificationapproaches, 5 butcommon methodsincludethefollowingstrategies. 6 SeeAddendumAforhighlevelexamplesofeach technique. Blurring- Reducingtheprecisionof discloseddatatominimize thecertaintyofindividual identification.forexample convertingcontinuousdata elementsintocategorical elementsthatsubsume uniquecases. Perturbation- Makingsmallchangesto thedatatoprevent identificationofindividuals fromuniqueorrare populationgroups.for example,swappingdata amongindividualcellsto introduceuncertainty. Suppression- Removingdata,for examplefromacellorrow, topreventthe identificationofindividuals insmallgroupsorthose withuniquecharacteristics. Usuallyrequires suppressionofnon/ sensitivedata. SharingPurpose&PIIDisclosureRiskassessment Educationalagenciesandinstitutionsplanningtousede/identificationtechniquestoenable unconsenteddatasharing ininstanceswhenaferpadisclosureexceptiondoesnotapply/ mustmakea reasonabledeterminationthatthestudent sidentityisnotpersonallyidentifiable becauseofuniquepatternsofinformationaboutthestudentwhetherthroughsingleormultiple releases,andtakingintoaccountotherreasonablyavailableinformation. 7 Thestandardfor makingthisdeterminationisdiscussedlaterinthepaper,butneitherferpa,northeu.s. DepartmentofEducation sferparegulations,providea safeharbor listingspecificstepsthat leadtoappropriatede/identification.instead,federalpolicyprovidesastandardformakingcase/ by/casejudgmentsofpiidisclosureriskattheeducationalagency,institution,orapprovedparty level. 8 Thiscase/by/caseapproachmeansthatthelistofindirectidentifiersthatmustbe removedorobscuredtoachieveappropriatede/identificationwilllikelyvarybycircumstance. 5&PrivacyandTechnicalAssistanceCenter:http://ptac.ed.gov.Forexample,FrequentlyAskedQuestionsonDisclosureAvoidance, PTAC/FAQ/2,October2012(updatedMay2013),DataDe&identification:AnOverviewofBasicTerms,PTAC/GL,Oct2012(updated May2013),CaseStudy#5:MinimizingAccesstoPII:BetPracticesforAccessControlsandDisclosureAvoidanceTechniques,PTAC/ CS/5,October2012.& 6&Seealso,FederalCommitteeonStatisticalMethodology sstatisticalpolicyworkingpaper22reportonstatisticaldisclosure LimitationMethodology,(73Fed.Reg.74806/35,Dec9,2008). 7 73FR73833,December9,2008.& 8 73FR74834,December9,2008. & 3

Selectinganappropriatede/identificationmethoddependsinpartonexaminingtheplanned datasharingpurpose.thedatasharingpurposeandde/identificationstrategymustbe compatible. 9 Forexample,researchersinterestedinexaminingstudents performanceovertime mightrequireaccesstodetailed,accurateacademicinformationspanningseveralyears(limiting useofde/identificationtechniquesthatdiminishadata svalidity).researchersstudyinga studentcohort sgrowthtowardastate scollegeandcareerreadystandardsusingaspecific pedagogy,forexample,wouldnotbeabletousedatade/identifiedusingatechniquethatlimits thedata sreliabilityandvalidity.(alternatively,thistypeoflongitudinalresearchmightbe conductedusingde/identifieddatalinkedtoarecordlocatortoenabletheoriginating educationalagencyorinstitutiontoprovidede/identifieddataforthesamestudentsovertime. Useofsuchalocatordoesnotrenderthedata personallyidentifiable underferpa,butitdoes triggerspecialrequirements.)conversely,datasharedforpurposesthatrequirelessdata precisionandaccuracy,suchassoftwaretrainingortechnologyresearchanddevelopment,could usemuchmoreaggressivede/identificationstrategies,suchasusingtechniquesthatreplace sensitiveinformationwithinauthenticormodifieddata. Pleasenote,usingde/identificationtechniquesasaprivacytooldoesnotalwaysinvolve removingallpii,butinsituationswhenpiiremainspartofagivendataset(i.e.wherethedata hasnotbeencompletelyde/identified),unconsentedsharingmayonlyoccurwithconsentor consistentwithanappropriateferpaexception.forexample,aneducationalagencyor institutionsharingpiiunderaqualifiedferpaexceptionmaywishtousede/identification techniquestominimizepiireleasedtoanoutsideentity,eventhoughtheymaylawfullysharea rangeofstudentlevelinformation.tobemorespecific,aresearchermightconductastudythat requiresadiscretelistofindirectidentifiersthattogethercouldleadtothestudent s identification,suchasastudent sage,raceandfamilyfinancialinformation,butnotrequiring otherpiifoundinthesameeducationrecords.insuchaninstance,thesethreepiecesof personallyidentifiablestudentdata andotherinformationattachedthem/wouldremain subjecttoferpa sdisclosurelimitationsandotherrequirements,butde/identification techniques(e.g.,suppression)couldprovideadditionalprotectionforthestudentbyremoving data,forexamplefromacellorrow,unnecessarytothestudy.researcherslawfullyusingpiiin thiscontextandothercases,however,mustcompletelyde/identifyanyreportorother informationbeforereleasingittothepublicorotherparties,includingotherresearchers. 10 Entitiesplanningtousede/identificationtechniquesmustmitigatetheriskofexposingthe identityofindividualstudents.therefore,afterexaminingtherequirementsofagivendata sharingpurpose,educationdataholdersmustalsoassesstherisksassociatedwiththeirplanned disclosure,includingconsideringpastdatareleases(theriskofre/identificationiscumulative), samplesize,thenatureofthedatarecipient, 11 whetherthedatawillbefurthersharedormade 9&DataDe&identification:AnOverviewofBasicTerms.U.S.DepartmentofEducationPrivacyTechnicalAssistanceCenter,PTAC/GL, Oct2012(updatedMay2013),p.4.& 10 73FR74834,December9,2008. 11 TheDepartmentofEducationhassaid thereisnostatutoryauthorityinferpatomodifytheprohibitionondisclosureof personallyidentifiableinformationfromeducationrecords,ortheexceptionstothewrittenconsentrequirement,basedonthe trackrecordoftheparty,includingjournalistsandresearchers,inmaintainingtheconfidentialityofinformationfromeducation & 4

public,andothercontextualconditions. 12 Moreaggressivede/identificationstrategiesare requiredinsituationswhenthestudentdataispotentiallyatgreaterriskofre/identification. Forexample,de/identifieddatasharedforaspecificpurposewithatrustedpublicorprivate entitysuchasastatedepartmentofeducation,institutionofhighereducation,orprofessional vendorwithstrictlegalandcontractprotections(e.g.,anagreementwithstrictre/disclosure limitations),mightbelesslikelytobewidelyavailablelater(decreasingthere/identification threatassociatedwithcumulativedatareleases),comparedforexampletoannualschoolor districtperformancedataposteddirectlytoapublicwebsitetocomplywithfederalandstate accountabilityrequirements.whyisgreaterpublicavailabilityofaproperlyde/identifieddataset apotentialproblem?insomecases,de/identifieddatamightbesubjecttonefarious comparisonswithotherdatasets(e.g.,withwidelyavailablestudent directoryinformation )or otherattemptstorevealpii.whendataentersthepublicdomain,itcouldbeexposedtocutting/ edgetoolsandtechniquesdesignedtocomparethede/identifieddatatootherpubliclyavailable datasetsandthusrevealastudents identity(theferpaimplicationsofsuchabreakthroughare discussedfurtherbelow). Althoughexpertsdisagreeabouttheextenttowhichnewtechnologiesandtechniquescan back map de/identifieddatatorevealastudent sidentity,aseriousstatisticalanalysisthatensures alldirectandindirectidentifiershavebeenremovedcanbeperformedtoensureanyre/ identificationriskisremote. Inshort,prudentstudentdataholdersshouldconsiderusing inlightofnewdataminingand comparisontechniquesthatmightbemoreeffectivethaniscommonlyaccepted themost aggressivede/identificationstrategiespossiblewhendatawillbemadepublicorsharedwidely. WhendataissharedwithlimitedrestrictedpartiesunderstrongcontrolsandunderaFERP exception,acombinationoftechnical,administrativeandcontractualcontrolswillbe appropriateforreasonablede/identificationmeasuresthatmaypreservegreaterutilityofthe data. Application-of-FERPA-to-De#Identified-Records-- Asageneralrule,FERPAprohibitsthedisclosureofeducationrecordscontainingpersonally identifiablestudentdatawithoutparentoreligiblestudentconsent. 13 Therefore,thereleaseof educationrecordsthathavebeenappropriatelyde/identified purgedofdirectandallnecessary indirectidentifiersinagivencontext/isnotconsidereda disclosure underferpa,sinceby definitionsuchrecordsdonotcontainpii. 14 Properlyde/identifiedstudentdatathusmaybe sharedwithoutlimitationunderferpa(althoughotherfederalandstateprivacylawsmay apply).furthermore, de/identifiedinformationfromeducationrecordsisnotsubjecttoany &&&&&&&&&&&&& recordsthattheyhavereceived. (73FR74834).Nonetheless,therecipients identityshouldlikelybeconsideredamongother variablesineachriskassessment. 12 FrequentlyAskedQuestions DisclosureAvoidance,p.4,PTAC/FAQ/2,Oct2012(updatedMay2013).p.2/3& 13 20U.S.C.1232g(b)(1) 14 34CFR99.31(b)(1) & 5

destructionrequirementsbecause,bydefinition,itisnot personallyidentifiableinformation. 15 TheDepartmenthassaid,however,apartyreleasingde/identifiedstudentdatamightmitigate risksassociatedwithfuturedatareleasesbyindependentlyrequiringdatadestructioninsome circumstances. 16 Thereisoneimportantexception,however,toFERPA sunconsentedsharingexceptionforde/ identifieddata.de/identifieddatacoupledwitharecordcodeorlocatorbyaneducational agencyorinstitution allowingittobematchedlatertotherecordsource/mayonlybeshared foreducationresearch.althoughthedepartment sregulationsandguidancedonotspecifically discussthequestion,itappearsthateducationalagenciesorinstitutionsmayselectanyqualified thirdpartytoconductresearchunderthisprovision,butallsecondary(non/research)usesofde/ identifieddatawitharecordlocatorareprohibited.furthermore,thedatasharingentitymay notdiscloseinformationabouthowitgeneratedandassignedtherecordcode,orother informationthatmightallowadatarecipienttoidentifyastudentbasedontherecordcode. Lastly,therecordcodemustnotbebasedonastudent ssocialsecuritynumberorother personalinformation. 17 Suchadatasetremainscategorizedas de/identified, andmaythusbe sharedwithoutparentoreligiblestudentconsent,butunlikeotherde/identifieddataitmayonly besharedfortheresearchpurposespecifiedtotheeducationalagencyorinstitution,consistent withtheotherrequirementsdescribedabove. Beforesuchdatasharingcanoccur,however,theeducationrecordmustbeproperlyde/ identified.asreferencedabove,the releasingpartyisresponsibleforconductingitsown analysisandidentifyingthebestmethodstoprotecttheconfidentialityofinformationfrom educationrecordsitchoosestorelease. 18 ThisdeterminationdependsonFERPA sdisclosure riskassessmentstandard.thisstandardaskswhethera reasonablepersonintheschool communitywhodoesnothavepersonalknowledgeoftherelevantcircumstances couldusethe releaseddata,andotherpubliclyavailabledata,toidentifyanindividualstudentwith reasonablecertainty. 19 Thisstandardextendstopossibledataholdersbeyondtheliteralschool community. TheDepartmentofEducationdoesnotrequireeducationalagenciesandinstitutionstouse specificdatadisclosureavoidancetechniquestoachievethisstandard,andstatedinarecent rulemaking, itisnotpossibletoprescribeoridentifyasinglemethodtominimizetheriskof disclosingpersonallyidentifiableinformationthatwillapplyineverycircumstance 20 The Departmenthasalsosaid determiningwhetheraparticularsetofmethodsforde/identifying dataandlimitingdisclosureriskisadequatecannotbemadewithoutexaminingtheunderlying datasets,otherdatathathavebeenreleased,publiclyavailabledirectoriesandotherdatathat arelinkedorlinkabletotheinformationinquestions. 21 Inotherwords,thepartyreleasingdata 15&73FR15585,March24,2008& 16&73FR74835,December9,2008& 17 34CFR99.31(b)(2)(i)/(iii). 18 73FR74835,December9,2008. 19 34CFR 99.3,34CFR 99.31(b)(1) 20 73FR74835,December9,2008 21 Ibidat74835& & 6

mustperformacontextspecificanalysisandidentifythebestmethodforprotectingstudent informationsubjecttodisclosures.properapplicationoftheacceptedmathematicaland statisticalde/identificationstrategiesdescribedearlierinthepapermeetthislegalstandardin manyinstances,butbylaweachsharingcontextmustbeindependentlyanalyzedagainstthe Department sreasonablenessstandard. 22 Someexpertshavearguedthatgivenrecentcaseswhereresearchershaveleveragedaccessto otherpubliclyavailabledatasetstoidentifyspecificindividuals,absolutedatade/identification maybeimpossible,orataminimum,increasinglydifficult. 23 Inlightofthisuncertainty,data sharingpartiesshouldverycarefullyanalyzeeachproposeddisclosureofde/identifieddata againstferpa sreasonablenessstandardandalsoconsiderusingcontractsthatspecify protections aboveandbeyondferpa/thatcouldfurtherminimizetheriskofre/identification. De#Identified-Data:-Retention-and-Destruction- FERPApermitsthirdpartydataholders,includingvendors,toretainanduseappropriatelyde/ identifieddata solongasitisnotassociatedwitharecordlocator/foranysecondarypurpose. Furthermore,FERPAdoesnotdescribehowde/identifieddatashouldbemanaged,including,as describedabove,whenandhowthedatashouldbedestroyed.vendorsandotherthirdparty holdersmust,however,ensurethatagivende/identifieddatasetisnotsubjecttorelevant contractterms,orotherfederal,state,andlocalprivacylawsandregulations,whichmight containmorestringentdataretentionordestructionrequirements. 24 Forexample,personaldata subjecttothechildren sonlineprivacyprotectionactmayonlyberetainedsolongasis necessarytofulfillthepurposeforwhichitwascollected,andcoppacoveredentitiesmust deletetheinformationusingreasonablemeasurestoprotectagainstitsunauthorizedaccessor use. 25 AlthoughFERPAdoesnotgoverntheuse,retentionanddestructionofproperlyde/identified data,thirdpartiesshouldhavesoundpolicies guidedbynationalinstituteofstandardsand TechnologyorPTACbestpracticerecommendations/addressingtheseissues.Thisinternal, independentstepincludesensuringthatde/identifieddataisdestroyedwhenitisnolonger needed,inordertominimizere/identificationrisksassociatedwithpossiblefutureeffortsto compareandlinkthedatawithotherdatasets.dataholdersmustalsoensurethattheytake properactionstodestroydata.simplydeletingdataisnotsufficientinmostcasesandptac s datadestructionbestpracticesprovidehelpfulguidance.ptacrecommendsthatdataholders makerisk/baseddecisionsonwhich[destruction]method/[e.g.clearing,purging,ordestroying data]/ismostappropriatebasedonthedatatype,riskofdisclosure,andtheimpactifthatdata weretobedisclosedwithoutauthorization. 26 Thedatade/identificationmethodusedtoremove 22 34CFR99.31.(b)(1).Seealso,PTACFrequentlyAskedQuestions DisclosureAvoidance,p.4,PTAC/FAQ/2,Oct2012(updated May2013). 23 BrokenPromisesofPrivacy:RespondingtotheSurprisingFailureofAnonymization,PaulOhm,UniversityofColoradoLaw School,UCLALawReview,Vol.57,p.1701,2010.- 24 PrivacyandTechnicalAssistanceCenter,BestPracticesforDataDestruction,p.5,PTAC/IB/5,May2014. 25 16C.F.R. 312.10. 26 PTACBestPracticesforDataDestruction,p.5. & 7

PIIfromadatasetshouldbeacentralfactorinmakingthisdetermination.Dataholdersseeking additionalguidanceonproperdestructionstrategiesshouldconsultrecommendationsmadeby thenationalinstituteofstandardsandtechnologyandotherexpertsources. 27 Conclusion- De/identificationoffersanimportanttoolforeducationalagencies,institutionsandtheir partnersseekingtomaximizestudentdata spotentialvaluetoimprovingteachingandlearning, whilealsocarefullyprotectingstudentprivacyandconfidentiality.properdatade/identification requires,however,deeptechnicalknowledgeandexpertiseandadherencetoindustrybest practice.therefore,studentdataholdersshouldnotattempttode/identifystudentdatasets withoutcompetentsupport.theyshouldalsoconsultcompetentlegalcounseltoensurethat theirdatamanagementpoliciesandpractices includingde/identificationstrategies/comply withferpaandallotherrelevantfederal,state,andlocallawsandrequirementspotentially applicabletothedatatheymanage. 27 NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800/88Rev.1:GuidelinesforMediaSanitization. December2014. & & 8

IllustrationofCommonDe1IdentificationMeasuresinAggregateDataSets Joan sdirectoridentifiers StudentName:JoanSmith StudentsParents:JohnSmith&JackieSmith Address:000000 th Street,Washington,D.C. StudentNumber:4444 SocialSecurityNumber:555C555C555 Joan sindirectidentifiers DataofBirth:11/01/2000 Race:AlaskaNative Gender:Female PlaceofBirth:Washington,D.C. FamilyIncome:$85,000 GPA:3.75 AllDirectIdentifiersRemoved Joan sindirectidentifiers DataofBirth:2000 Race:UniqueCharacteristicRemoved Gender:Female Mother smaidenname:unique CharacteristicRemoved PlaceofBirth:MidCAtlantic FamilyIncome:$50,000C$100,000 GPA:3.5 4.0 Mike sindirectidentifiers DataofBirth:1999 Race:UniqueCharacteristicRemoved Gender:Female Mother smaidenname:unique CharacteristicRemoved PlaceofBirth:Midwest FamilyIncome:$50,000C$100,000 GPA:3.5 4.0 Joan sindirectidentifiers DataofBirth:2000 Race:UniqueCharacteristicRemoved Gender:Male Mother smaidenname:uniquecharacteristic Removed PlaceofBirth:Northeast FamilyIncome:$50,000C$100,000 GPA:3.5 4.0 AllDirect Identifiers Removed Joan sindirectidentifiers DataofBirth:11/01/2000 Race:AlaskaNative Gender:Female PlaceofBirth:Washington,D.C. FamilyIncome:$85,000 GPA:3.75 AllDirect Identifiers Removed Joan sindirectidentifiers DataofBirth:2000 Race:Minority Gender:Female Mother smaidenname:johnson PlaceofBirth:MidCAtlantic FamilyIncome:$50,000C$100,000 GPA:3.5 4.0 Raw$Individual$Student$Data$in$Aggregate$Data$Table$ Redacted$Individual$Student$Level$Data$in$ Aggregate$Data$Table$ $ Blurring$(Reducing$Data$Precision$including$$ Using$Broader$Categories)$ $ Suppression$(Removing$Data$from$a$Cell$or$Row)$ Perturbation$(Small$Data$Changes,$including$through$$ Swapping$Data$among$Cells)$ $$