Other Hot Topics: Cloud Computing Security | Cloud Data Storage Solutions | Community Based Security Awareness | Copier and Multi-Function Device Security | Full Disk Encryption | Managing Malware | Mobile Device Security | Social Networking Security
Version 1.0: October 2011
Statewide Longitudinal Data Systems (SLDSs) collect a vast range of information that can be both detailed and sensitive in nature (e.g., Social Security numbers, children’s pregnancies, mental health, illness, jail sentences, and family wealth indicators). However, some SLDSs may lack security and privacy protections commensurate with the sensitivity of the data they contain, and their policies and procedures for information-sharing among the agencies and entities authorized to access them may not always comply with Family Educational Rights and Privacy Act (FERPA) privacy requirements. Additionally, your state’s data breach standards may impose obligations on you for the handling of your institution’s data even after it has been incorporated into your state’s SLDS.
Why should the higher education community be interested in this? Although statewide longitudinal data systems began with a focus on the K-12 sector, states have rapidly turned to a “PK-20” or “PK-Grave” focus, with strong encouragement and grants from the federal government. Thus, in many states, ongoing SLDS efforts seek to implement systems capable of capturing, analyzing, and reporting student data at the individual record level from preschool through high school, college, and eventually, the workforce.
Sources: Children's Educational Records and Privacy: A Study of Elementary and Secondary School State Reporting Systems, a 2009 report by the Fordham University Center on Law and Information Policy (CLIP) and Hans P. L'Orange, John Blegen, and Tanya I. Garcia, “Improving Student Attainment Requires More from Higher Education Data,” EDUCAUSE Review, vol. 46, no. 5 (September/October 2011)
Institutions should consider the following questions regarding longitudinal databases to ensure privacy, transparency, and accountability. Note: This resource is intended for higher education IT staff (e.g., CIOs, CISOs, ISOs) or any other institutional departments that need to remain informed about the issues related to SLDSs (e.g., Institutional Research).
- Does your state have detailed access and use restrictions for the longitudinal database? (These policies should be well-articulated and specific in nature; for example, they should define users, specify legitimate purposes of use, and limit access.)
- Does your state require database users to enter into confidentiality agreements?
- Does your state make information related to FERPA rights and obligations available and easily accessible on the Internet?
- Has your state instituted clearly defined data retention policies and procedures? (States without these policies may be likely to hold student information indefinitely.)
- Does your state outsource the data warehouse to a third-party vendor? There are several vendors used in the United States, and the service contracts they use are rarely the same.
- “Third party processors of education records should have comprehensive agreements that explicitly address privacy obligations.”
- “The vendors most frequently used throughout the states include: Infinite Campus, CPSI, eScholar, IBM, and ESP Solutions Group. With the exception of IBM, all of these vendors participate in the SIF certification program. This means that the data sets developed by these vendors will be interoperable. Infinite Campus, CPSI, and eScholar each offer systems that assist in data collection and offer services for data analysis. IBM is primarily used for data collection and storage services, while ESP specializes in data analysis and SIF compliance. Below is a summary of these major vendors and the products they are currently offering.”
- Is Personally Identifiable Information (PII) data anonymized at the state level through the use of dual database architectures? (Some states may instead use unified database system with access restrictions.)
- Does your state use a “unique student identifier” (USI) or a non-personally identifiable USI?
- “An important element in ensuring the USI is an anonymous identifier to qualify for the permitted disclosure is whether state level employees can trace a USI to a specific student. Anonymity can only be accomplished when state level employees have no access to the linking key between the USI and the personally identifiable information, and no way to infer the identity of a specific student from the available data.”
- Is the collection of information by your state minimized or limited to necessary information?
- Is your state’s longitudinal database tied to an established audit or risk assessment process?
- Does your state maintain audit logs of access to and use of the databases in an effort to prevent unauthorized data processing, improper access, or misuse?
- Does your state make information about the database, its security, and the steps taken to maintain individuals’ privacy readily available and verifiable?
- “Policies and procedures regarding the longitudinal database should be easy for parents and students to find, understand, and use.”
- Has your state appointed a Chief Privacy Officer (CPO) within the state’s Department of Education? State CPOs help assure the respect for children’s privacy in education records and to oversee compliance with federal and state privacy laws.
- Does your state’s Chief Privacy Officer publicly report privacy impact assessments for database programs, proposals, and vendor contracts?
According to SHEEO, forty-four states (plus the District of Columbia) are currently collecting some type of longitudinal student data at the state level. View a complete list of state agency/entity profiles on the SHEEO State of the State Postsecondary Data Systems (SSPDS) website.
- Children's Educational Records and Privacy: A Study of Elementary and Secondary School State Reporting Systems, a 2009 report by the Fordham University Center on Law and Information Policy (CLIP)
- Common Education Data Standards (CEDS): http://nces.ed.gov/programs/ceds/about.asp
- Data Quality Campaign: http://www.dataqualitycampaign.org/
- Data Privacy, Security, and Confidentiality: http://www.dataqualitycampaign.org/survey/issues/Privacy
- FERPA-related SLDS resources: http://www.dataqualitycampaign.org/resources/topics/13
- Ten Essential Elements of a State Longitudinal Data System: http://www.dataqualitycampaign.org/survey/elements
- EDUCAUSE resources on Statewide Longitudinal Data Systems (SLDS): http://www.educause.edu/Resources/Browse/Statewide%20Longitudinal%20Data%20Systems/41356
- Hans P. L'Orange, John Blegen, and Tanya I. Garcia, “Improving Student Attainment Requires More from Higher Education Data,” EDUCAUSE Review, vol. 46, no. 5 (September/October 2011): http://www.educause.edu/EDUCAUSE+Review/EDUCAUSEReviewMagazineVolume46/ImprovingStudentAttainmentRequ/235042
- National Conference of State Legislatures (NCSL) State Security Breach Notification Legislation/Laws: http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/OverviewSecurityBreaches/tabid/13481/Default.aspx
- National Post-School Outcomes Center (NPSO) SLDS Resources: http://www.psocenter.org/slds.html
- Privacy Technical Assistance Center (PTAC), one component of the U.S. Department of Education’s comprehensive privacy initiatives: http://nces.ed.gov/programs/ptac/Home.aspx
- PTAC Data Security Checklist: http://nces.ed.gov/programs/ptac/pdf/ptac-data-security-checklist.pdf
- State Higher Education Executive Officers (SHEEO) The State of State Postsecondary Data Systems
- July 2010 Report: Strong Foundations: The State of State Postsecondary Data Systems
- U.S. Department of Education Institute of Education Sciences (IES) National Center for Education Statistics (NCES, http://nces.ed.gov/) Statewide Longitudinal Data Systems (SLDS) Grant Program: http://nces.ed.gov/programs/slds/
- 2010 SLDS P-20 Best Practice Conference Resources: http://nces.ed.gov/programs/slds/nov10_presentations.asp
- SLDS Technical Brief on Data Stewardship (November 2011): http://nces.ed.gov/pubs2011/2011602.pdf
- U.S. Department of Education Statewide Longitudinal Data System Grants: http://www2.ed.gov/programs/slds/index.html
- Various State Links
- Illinois Longitudinal Data System Project: http://www.isbe.state.il.us/ILDS/htmls/project.htm
- Michigan Statewide Longitudinal Data System: http://www.michigan.gov/cepi/0,1607,7-113-56472---,00.html
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.