Skip Navigation

Statistical Standards
Statistical Standards Program
 
Table of Contents
 
Introduction
1. Development of Concepts and Methods
2. Planning and Design of Surveys
3. Collection of Data
4. Processing and Editing of Data

 
4-1 Data Editing and Imputation of Item Nonresponse
4-2 Maintaining Confidentiality
4-3 Evaluation of Surveys
4-4 Nonresponse Bias Analysis

5. Analysis of Data / Production of Estimates or Projections
6. Establishment of Review Procedures
7. Dissemination of Data
 
Glossary
Appendix A
Appendix B
Appendix C
Appendix D
 
Publication information

For help viewing PDF files, please click here
PROCESSING AND EDITING OF DATA

SUBJECT: MAINTAINING CONFIDENTIALITY

NCES STANDARD: 4-2

PURPOSE: To protect the confidentiality of NCES data that contain information about individuals (individually identifiable information). For this reason, staff must be cognizant of the requirements of the law and must monitor the confidentiality of individually identifiable information in their daily activities and in the release of information to the public.

KEY TERMS: coarsening, confidentiality, confidentiality edits, Data Analysis System (DAS), data swapping, edits, disclosure risk analysis, individually identifiable data, perturbation techniques, public-use data file, public-use edits, restricted-use data file, stage of data collection, and statistical disclosure techniques.

LEGAL REQUIREMENTS: Five laws cover protection of the confidentiality of individually identifiable information collected by NCES - the Privacy Act of 1974, as amended, the E-Government Act of 2002, the Education Sciences Reform Act of 2002, and the US Patriot Act of 2001.

Privacy Act of 1974, as amended - "The purpose of this Act is to provide certain safeguards for an individual against invasion of personal privacy by requiring Federal agencies…to collect, maintain, use or disseminate any record of identifiable personal information in a manner that assures that such action is for necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information." A willful disclosure of individually identifiable data is a misdemeanor, subject to a fine up to $5,000.

E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) - "Under this law, all individually identifiable information supplied by individuals or institutions to a federal agency for statistical purposes under the pledge of confidentiality must be kept confidential and may only be used for statistical purposes. Any willful disclosure of such information for nonstatistical purposes, without the informed consent of the respondent, is a class E felony.

Education Sciences Reform Act of 2002 (ESRA 2002) - Under this law all individually identifiable information about students, their families, and their schools shall remain confidential. To this end, this law requires that no person may:

  1. Use any individually identifiable information furnished under the provisions of this section for any purpose other than statistical purposes for which it is supplied, except in the case of terrorism (see discussion of the Patriot Act);
     
  2. Make any publication whereby the data furnished by any particular person under this section can be identified; or
     
  3. Permit anyone other than the individuals authorized by the Commissioner to examine the individual reports.

Further, individually identifiable information is immune from legal process, and shall not, without the consent of the individual concerned, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding, except in the case of terrorism. Employees, including temporary employees, or other persons who have sworn to observe the limitations imposed by this law, who knowingly publish or communicate any individually identifiable information will be subject to fines of up to $250,000, or up to 5 years in prison, or both (Class E felony).

US Patriot Act of 2001 - This law permits the Attorney General to petition a court of competent jurisdiction for an ex parte order requiring the Secretary of the Department of Education to provide data relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism. The law states that any data obtained by the Attorney General for these purposes "…may be used consistent with such guidelines as the Attorney General, after consultation with the Secretary, shall issue to protect confidentiality." This law was incorporated into ESRA 2002.

Federal Statistical Confidentiality Order of 1997 - This OMB Order provides a consistent government policy for "…protecting the privacy and confidentiality interests of persons who provide information for Federal statistical programs…" The Order defines relevant terms and provides guidance on the content of confidentiality pledges that Federal statistical programs should use under different conditions. The Order provides language for confidentiality pledges under two conditions-first, when the data may only be used for statistical purposes; second, when the data are collected exclusively for statistical purposes, but the agency is compelled by law to disclose the data. Since the US Patriot Act of 2001 includes a legal requirement that compels NCES to share the data under the conditions specified in the law (see above); the second condition applies to NCES. In this case, the Order instructs the agency to "…at the time of collection, inform the respondents from whom the information is collected that such information may be used only for statistical purposes and may not be disclosed, or used, in identifiable form for any other purpose, unless otherwise compelled by law."


STANDARD 4-2-1: All NCES staff, without exception, must pledge not to release any individually identifiable data, for any purpose, to any person not sworn to the preservation of confidentiality. Individually identifiable data are confidential and individually identifiable data are protected from legal process unless the individual provides written consent, except in the case of the authorized investigation and prosecution of terrorism.


STANDARD 4-2-2: All contractors whose activities might involve contact with individually identifiable information must provide NCES Project Officers with a list of all staff who might have contact with such data; all such staff must have a signed notarized affidavit of nondisclosure on file at NCES. These affidavits and the staff list must be kept current as staff members leave and as new staff members are assigned to NCES projects with individually identifiable information.


STANDARD 4-2-3: All contractor staff with access to individually identifiable information must only use that information for purposes associated with the data collection and analysis specified in the contract.


STANDARD 4-2-4: Respondents must be told in a cover letter or in instructions that " Your answers may be used only for statistical purposes and may not be disclosed, or used, in identifiable form for any other purpose except as required by law." Furthermore, the routine statistical purposes for which the data may be used must be explained.


STANDARD 4-2-5: All materials having individually identifiable data must be kept secure at all times through the use of passwords, physical separation of individual identity from the rest of the data, and secure data handling and storage. (See the Restricted-Use Data Procedures Manual, 2000.)


STANDARD 4-2-6:
When confidentiality edits (that are performed using perturbation techniques) are used for a data file they must be applied to all analytical files (e.g., public-use files, DAS files, and restricted-use files) derived from that data file.


STANDARD 4-2-7: NCES distributes Data Analysis Systems (DAS) that produce tabular estimates from restricted-use files. In this case, the following conditions must be met:

  1. NCES may not release the exact sample size for restricted-use data files that are distributed through a DAS.
     
  2. Only restricted-use data files with Disclosure Review Board (DRB) approved confidentiality edits may be used to produce a DAS.
     
  3. A DAS may not publish unweighted counts.

The confidentiality protection required in a DAS is a function of the type of estimate(s) to be produced. For example, a DAS that produces cell counts may require the use of more extensive confidentiality edits.

If a public-use file is released or planned for a data file, any DAS created for that data file must be based on public-use data that have undergone perturbation disclosure limitation techniques as part of confidentiality edits.


STANDARD 4-2-8: For public-use data files, NCES minimizes the possibility of a user matching outliers or unique cases on the file with external (or auxiliary) data sources. Because public-use files allow direct access to individual records, perturbation and coarsening disclosure limitation techniques may both be required. The perturbation disclosure limitation techniques by definition, include the techniques applied in a confidentiality edit (if one is performed) and may include additional perturbation disclosure limitation techniques as well.

Methods for Protecting Individually Identifiable Data

Type of Protection Methods
Perturbation Coarsening
Confidentiality Edit Yes Yes
Disclosure Limitation Techniques Yes Yes

All public-use files (i.e., the edited restricted-use files) that contain any potentially individually identifiable information must undergo a disclosure risk analysis in preparation for release to the public. The steps are as follows:

  1. At an early stage in designing and conducting this analysis, staff must consult the Disclosure Review Board (DRB) for guidance on disclosure risk analysis and on the use of NCES disclosure risk software. Any modifications that are necessary as a result of the analysis must be made, and the entire process must be documented.
     
  2. The documentation of the disclosure risk analysis must be submitted to the DRB. The documentation must include descriptions of the risk of disclosure and the types of edits used to avoid disclosure. Decisions over the type of confidentiality edits must take into account the procedures needed to avoid disclosure of individually identifiable information, age of the data, accessibility of external files, detail and specificity of the data, and reliability and completeness of any external files. The documentation should also include the results demonstrating the disclosure risk after adjustments to the data.
     
  3. The DRB will review the disclosure risk analysis report and make a recommendation to the Commissioner of NCES about the file release.
     
  4. The Commissioner then rules on the release of the data file.
     

STANDARD 4-2-9: Inasmuch as confidentiality edits are intended to protect individually identifiable data, files that incorporate the results of the DRB approved confidentiality edit plan may be used to produce tables without confidentiality concerns over minimum cell sizes. When this is done:

  1. All versions of a data file must reflect the same confidentiality edits. Staff must consult the DRB on the confidentiality plan, data file dissemination plan (restricted, public use, and/or DAS), and disclosure risk analysis plan, concurrently.
     
  2. Documentation of the confidentiality edit must be included along with the documentation of the disclosure risk analysis that is submitted to the DRB. 


STANDARD 4-2-10: A survey program may decide not to apply confidentiality edits (i.e., perturbation disclosure limitation techniques) to a restricted-use file (and the associated public-use file). In this situation, when tabulations are produced, any table with a cell with 1 or 2 unweighted cases must be recategorized to insure that each cell in the table has at least 3 unweighted cases. This restriction also applies to documentation for public-use files. This rule excludes table cells with zero cases because there are no data to protect in the cell.

    EXAMPLE: A principal salary table by race and years of experience may only have 2 Asian respondents with more than 20 years of experience. To implement this standard, one possibility would be to either combine the Asian category with another race group or combine the 20+ years of experience category with the next lower experience category. This process would continue until all cells have either at least 3 unweighted cases or no unweighted cases.


STANDARD 4-2-11: At the discretion of the Commissioner of NCES, data security staff may release individually identifiable data to persons for statistical uses compatible with the purposes for which the data were collected. Persons receiving individually identifiable data from NCES shall execute a restricted-use data license agreement, sign affidavits of nondisclosure, and meet such other requirements as deemed necessary in accordance with other confidentiality provisions of the law.


STANDARD 4-2-12: Before external data users may gain access to public-use data files, they must agree that they will not use the data to attempt to identify any individual whose data is in the file. This may be accomplished by using the following wording:

"WARNING"

    Under law, public use data collected and distributed by the National Center for Education Statistics (NCES) may be used only for statistical purposes.

    Any effort to determine the identity of any reported case by public-use data users is prohibited by law. Violations are subject to Class E felony charges of a fine up to $250,000 and/or a prison term up to 5 years.

    NCES does all it can to assure that the identity of data subjects cannot be disclosed. All direct identifiers, as well as any characteristics that might lead to identification, are omitted or modified in the dataset to protect the true characteristics of individuals. Any intentional identification or disclosure of a person violates the assurances of confidentiality given to the providers of the information. Therefore, users shall:

    • Use the data in this dataset for statistical purposes only.
       
    • Make no use of the identity of any person or institution discovered inadvertently, and advise NCES of any such discovery.
       
    • Not link this dataset with individually identifiable data from other NCES or non-NCES datasets.
       
    • To proceed you must signify your agreement to comply with the above-stated statutorily based requirements."
       

REFERENCE

Restricted-Use Data Procedures Manual. 2000. U.S. Department of Education, Office of Educational Research and Improvement, National Center for Education Statistics. Washington DC: U.S. Government Printing Office.