NCES Data Confidentiality and Data Licensing Program Marilyn Seastrom July, 2013 Washington, DC
What Are NCES Responsibilities Under Law? PART C—NATIONAL CENTER FOR EDUCATION STATISTICS –SECTION DUTIES (a) GENERAL DUTIES.—The Statistics Center shall collect, report, analyze, and disseminate statistical data related to education in the United States and in other nations 2
What Are NCES Responsibilities Under Law? SECTION 154. PERFORMANCE OF DUTIES. 2) SOURCE OF INFORMATION.—The Statistics Commissioner may, as appropriate, use information collected—.. (B) by other offices within the Institute and by other Federal departments, agencies, and instrumentalities. 3
What Are NCES Responsibilities Under Law? SECTION 156. DISSEMINATION The Statistics Center may furnish transcripts or copies of tables and other statistical records and make special statistical compilations and surveys for State and local officials, public and private organizations, and individuals. 4
What Are NCES Authorities Under Law? The Commissioner may utilize temporary staff, including employees of Federal, State, or local agencies …and employees of private organizations to assist the Center in performing the Center’s responsibilities, but only if such temporary staff are sworn to observe the IES confidentiality law. 5
What Confidentiality Laws Apply? Education Sciences Reform Act of 2002 (ESRA 2002) –Privacy Act of 1974, as amended –Family Educational Rights and Privacy Act of 1974 –US Patriot Act of 2001 NCES is also covered under the E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) 6
IES Confidentiality Law Education Sciences Reform Act of 2002 (ESRA) All individually identifiable information about students, their families, and their schools shall remain confidential. The law requires that no person may: Use any individually identifiable information collected under an ERSA nondisclosure pledge for any nonstatistical purpose, except in the case of terrorism; 7
IES Confidentiality Law Make any publication whereby the data for a particular person can be identified Permit anyone other than the individuals authorized by the Director to examine the individual reports. Individually identifiable information is immune from legal process, and shall not, without the consent of the individual concerned, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding, except in the case of terrorism. 8
IES Confidentiality Law Employees, including temporary employees, or other persons who have sworn to observe the limitations imposed by this law, who knowingly publish or communicate any individually identifiable information will be subject to fines of up to $250,000, or up to 5 years in prison, or both (Class E felony). 9
How Does IES Release Data? Released data are designated either restricted- use or public-use. –Restricted-use data have all direct identifiers removed and either include confidentiality edits performed (data perturbation) or are subject to cell size restrictions in data releases. 10
How Does IES Release Data? Released data are designated either restricted- use or public-use. –Public-use sample survey data start from the approved restricted-use data and are subject to disclosure limitation analysis resulting in further perturbations, coarsening, and item suppression 11
How Does IES Release Data? Released data are designated either restricted- use or public-use. –Public-use administrative data start from the restricted-use data and are subject to disclosure limitation analysis resulting in cell suppressions, reporting some aggregate point estimates as ranges, and/or rounding 12
History of Data Licensing System External users are loaned restricted use data through a license between IES, the user, and the user’s institution or organization. –1989: Initiated talks with OMB to start a trial data licensing system; Developed protocol and legal documents –1991: First license issued –2000: 502 restricted-use licenses –2007: Implemented electronic application system –2013: 900 restricted-use licenses 13
What Does a Data License Involve? IES loans restricted-use data only to qualified organizations in the United States. This restriction is because the underlying laws are US laws. Individual researchers must apply through an organization (e.g., a university, a research institution, or company). 14
What Does a Data License Involve? Complete an on-line application Submit signed license document –Primary Researcher –Senior Official at Institution Submit signed and notarized affidavits of nondisclosure for all proposed data users Submit a signed security plan –System Security Officer 15
What Does a Data License Involve? Maintain a data license file and ensure that all authorized users follow the agreed upon terms Participate in unannounced security inspections to ensure compliance Adhere to established publication rules to protect confidential data Submit all release materials to IES Data Security Office for disclosure review 16
What Does a Data License Involve? Notify IES immediately if the researcher receives any legal, investigatory, or other demand for disclosure of subject data. Use the on-line license system to notify IES of any modifications in project operations or security procedures, including any departures or additions to the project staff. The PPO may also submit a request for more data. 17
What Does a Data License Involve? Using the electronic license system to close the License when the research that is the subject of the agreement has been completed or the license terminates, whichever occurs first. –The restricted-use data and all other individually identifiable information (e.g., the one backup copy, working notes) shall be destroyed under IES supervision or by approved IES procedures. 18
What Does a Data License Involve? The researcher must –read the Restricted-Use Data Procedures Manual, –provide a justification for the need for the restricted use data, –submit the required documents, –agree to keep the data safe from unauthorized disclosures at all times, and –agree to participate fully in unannounced, unscheduled inspections by IES Data Security Officials to ensure compliance with the terms of the license and the security procedures and plan. 19
License Lessons Learned Maintain complete and detailed records of all license transactions. Complete annual online training. Value of Security inspections. –Use security inspections to correct minor violations. Need for regular contact with licensees. –Use and automated features of electronic license system to send annual reminders for personnel and security updates. Automate license closeout reminders 20
NCES Contact Information NCES website: NCES Restricted Use License Program: NCES newsflash: sign up at Marilyn Seastrom (202) Thank you
NCES Confidentiality Laws 6
NCES Employees NCES staff take an oath of office. They are informed about the requirements of the confidentiality law. They work in a guarded facility with controlled access. They must monitor the confidentiality of individually identifiable information in their daily activities and in the release of information to the public. 11
Confidential Information The term “individually or personally identifiable information” means any record, response form, completed survey, or aggregation from which information about particular individuals or schools may be revealed. Included are –Direct identifiers (e.g., name, SSN, biometric records, or video image) and –Indirect identifiers (e.g., date and place of birth, mother’s maiden name, gender, age, race/ethnicity, a specific geographical location, or other descriptors which in combination are linkable to a specific individual). 1
CIPSEA Use of Agents Federal statistical agencies may designate agents by contract or special agreement to perform exclusively statistical activities subject to CIPSEA limitations. The agency shall ensure that all agents comply with the agency’s confidentiality procedures. 13
Confidentiality Edits for Sample Survey Data Use a confidentiality edit to protect data in reporting Match a sample of records with those from another geographic region on a set of key attributes, Swap all the attributes on the matched records. Use these protected files for tabulations. 16
Disclosure Limitation Techniques Recode variables that have extreme cases (e.g. salaries) To avoid attribute disclosure that could lead to an identity disclosure Review data against potential external sources of data that are available for matching To avoid identity disclosure 19
Cell Size Restrictions for Confidential Sample Survey Data If there are no confidentiality edits and fewer than three cases (i.e., 1 or 2) –Collapse cells--Combine the “sensitive” cell with a related category for a larger cell size until there are no remaining sensitive cells. 17
Cell Size Restrictions for Administrative Data with PII Use reporting rules specified with the restricted use data file –Cell suppression and reporting ranges –Rounding 17
Safeguards and Data Access Disclosure Review Board—technical staff who clear anonymized files for release as public-use file and who approve data perturbations for restricted use files. Data Analysis System—tabulations are provided online using either restricted- or public-use data. Restricted-Use Data Licensing System—NCES data security staff and contractor security investigators issue licenses and conduct inspections. 20
CIPSEA Annual Reporting Requirements List individual surveys collected under a CIPSEA confidentiality pledge List individual surveys collected under another arrangement, including promises made for data protection, if any Report on agency data protection procedures Report on the number of existing agents –Contractors –Licensees 14
NCES Confidentiality Laws The Privacy Act of 1974—“to provide certain safeguards for an individual against invasion of personal privacy…” Violation is a misdemeanor and is subject to a fine up to $5,000. 2
NCES Confidentiality Laws The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. FERPA applies to student record data in all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA allows schools to disclose those records to specified officials for audit or evaluation purposes. FERPA applies to administrative record data that NCES obtains from the school or institution without the explicit written consent of the parent or student. 4
CIPSEA Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) (44 USC 3501) Protects information supplied by individuals or organizations information under a pledge of confidentiality for statistical purposes from disclosure in identifiable form and from nonstatistical uses Violation—Class E Felony with a fine up to $250,000, or up to five years imprisonment, or both. 12
Types of Disclosures Three types of disclosure: Identity disclosure--third party can identify a subject from released data Attribute disclosure--confidential information about a subject is revealed and can be attributed to the subject Inferential disclosure--information can be inferred with high confidence from statistical properties of released data Statistical agencies are concerned with identity and attribute disclosure. 14