Return to List of Exhibits and Figures
Exhibit 6–3: NCES Statistical Standards on Maintaining Confidentiality
(National Center for Education Statistics 2002)
- Staff and contractors must pledge not to release any individually identifiable data, for any purpose, to any person not sworn to the preservation of confidentiality.
- All contractors whose activities might involve contact with individually identifiable information must provide NCES Project Officers with a list of all staff who might have contact with such data; all such staff must have a signed notarized affidavit of nondisclosure on file at NC ES. These affidavits and the staff list must be kept current as staff members leave and as new staff members are assigned to NCES projects with individually identifiable information.
- All contractor staff with access to individually identifiable information must only use that information for purposes associated with the data collection and analysis specified in the contract.
- Respondents must be told in a cover letter or in instructions that “All responses that relate to or describe identifiable characteristics of individuals may be used only for statistical purposes and may not be disclosed, or used, in identifiable form for any other purposes, unless otherwise compelled by law.”
- All materials having individually identifiable data must be kept secure at all times through the use of passwords, physical separation of individual identity from the rest of the data, and secure data handling and storage.
- When confidentiality edits (that are performed using perturbation techniques) are used for a data file, they must be applied to all statistical files derived from that data file.
- NCES distributes Data Analysis Systems (DAS) that produce tabular estimates from restricted-use files. In this case, the following conditions must be met:
- NCES may not release the exact sample size for restricted-use data files that are distributed through a DAS.
- Only restricted-use data files with Disclosure Review Board (DRB)-approved confidentiality edits may be used to produce a DAS.
- A DAS may not publish unweighted edits.
The confidentiality protection required in a DAS is a function of the type of estimate(s) to be produced. For example, a DAS that produces cell counts may require the use of more extensive confidentiality edits.
If a public-use file is released or planned for a data file, any DAS created for that data file must be based on public-use data or restricted-use data that have undergone perturbation disclosure limitation techniques as part of confidentiality edits.
- For public-use data files, NCES minimizes the possibility of a user matching outliers or unique cases on the file with external (or auxiliary) data sources. Because public-use files allow direct access to individual records, perturbation and coarsening disclosure limitation techniques may both be required. The perturbation disclosure limitation techniques by definition include the techniques applied in a confidentiality edit (if one is performed) and may include additional perturbation disclosure limitation techniques as well.
All public files (i.e., the edited restricted-use files) that contain any potentially individually identifiable information must undergo a disclosure risk analysis in preparation for release to the public. The steps are as follows:
- At an early state in designing and conducting this analysis, staff must consult the DRB for guidance on disclosure risk analysis and on the use of NCES disclosure risk software. Any modifications that are necessary as a result of the analysis must be made, and the entire process must be documented.
- The documentation of the disclosure risk analysis must be submitted to the DRB. The documentation must include descriptions of the risk of disclosure of individually identifiable information, age of the data, accessibility of external files, detail and specificity of the data, and reliability and completeness of any external files. The documentation should also include the results demonstrating the disclosure risk after adjustments to the data.
- The DRB will review the disclosure risk analysis report and make a recommendation to the Commissioner of NCES about the file release.
- The Commissioner then rules on the release of the data file.
- Inasmuch as confidentiality edits are intended to protect individually identifiable data, files that incorporate the results of the DRB-approved confidentiality edit plan may be used to produce tables without confidentiality concerns over minimum cell sizes. When this is done:
- All versions of a data file must reflect the same confidentiality edits. Staff must consult the DRB on the confidentiality plan, data file dissemination plan (restricted, public use, and/or DAS), and disclosure risk analysis plan, concurrently.
- Documentation of the confidentiality edit must be included, along with the documentation of the disclosure risk analysis that is submitted to the DRB.
- A survey program may decide not to apply confidentiality edits to a restricted-use file. In this situation, when tabulations are produced, any table with a cell with 1 or 2 unweighted cases must be recategorized to insure that each cell in the table has at least 3 unweighted cases. This restriction also applies to documentation for public-use files. This rule excludes table cells with zero cases because there are no data to protect in the cell.
Example: A principal salary table by race and years of experience may only have 2 Asian respondents with more than 20 years of experience. To implement this standard, one possibility would be to either combine the Asian category with another race group or combine the 20+ years of experience category with the next lower experience category. This process would continue until all cells have either at least 3 unweighted cases or no unweighted cases.
- At the discretion of the Commissioner of NC ES, data security staff may release individually identifiable data to persons for statistical uses compatible with the purposes for which the data were collected. Persons receiving individually identifiable data from NCES shall execute a restricted-use data license agreement, sign affidavits of nondisclosure, and meet such other requirements as deemed necessary in accordance with other confidentiality provisions of the law.
- Before external data users may gain access to public-use data files, they must agree that they will not use the data to attempt to identify any individual whose data is in the file. This may be accompanied by using the following wording:
Under law, public-use data collected and distributed by the National Center for Education Statistics (NCES) may be used only for statistical purposes.
Any effort to determine the identity of any reported case by public-use data users is prohibited by law. Violations are subject to Class E felony charges or a fine up to $250,000 and/or a prison term up to 5 years.
NCES does all it can to assure that the identity of data subjects cannot be disclosed. All direct identifiers, as well as any characteristics that might lead to identification, are omitted or modified in the dataset to protect the true characteristics of individuals. Any intentional identification or disclosure of a person violates the assurances of confidentiality given to the providers of the information. Therefore, users shall:
- Use the data in this dataset for statistical purposes only.
- Make no use of the identity of any person discovered inadvertently, and advise NCES of any such discovery.
- Not link this dataset with individually identifiable data from other NCES or non-NCES datasets.
To proceed you must signify your agreement to comply with the above-stated statutorily based requirements.”
Return to List of Exhibits and Figures