The protection of survey databases that contain individually identifiable information is founded on the following statutes:
The Privacy Act of 1974 states that federal agencies are required "to collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures…that adequate safeguards are provided to prevent misuse of such information."
To do this, the law protects the privacy of personal data maintained by the federal government. It imposes numerous requirements upon federal agencies to safeguard the confidentiality and integrity of personal data, and puts limits on the use of the data. (For the full text of the law, see Appendix C.)
Under the direction of the Office of Management and Budget, federal agencies issue policies, standards, and guidelines for protecting personal data under this law.
A key standard for this law is the Federal Information Processing Standard Publication (FIPSPUB) 41, Computer Security Guidelines for Implementing the Privacy Act of 1974. FIPSPUB 41 provides guidance to ensure that government-provided individually identifiable information is protected in accordance with federal statutes and regulations.
The law is enacted to "provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." FISMA requires each agency to develop, document, and implement an agencywide information security program "providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency."
The Education Sciences Reform Act of 2002 (ESRA 2002) authorizes the Institute of Education Sciences (IES) to collect and disseminate information about education in the United States. Collection is most often done through surveys. This Act, which incorporates and expands upon the Privacy Act of 1974, requires strict procedures to protect the privacy of individual respondents.
This Act replaces the National Education Statistics Act of 1994 (NESA 1994). (For the full text of the law, see Appendix D.)
Individually identifiable information about students, their families, and their schools cannot be revealed. No person may:
The Act requires IES to develop and enforce standards to protect the confidentiality of students, their families, and their schools in the collection, reporting, and publication of data. The IES confidentiality statute is found in Public Law 107-279, section 183 (or as codified in 20 U.S.C. 9573).
Anyone who violates the confidentiality provisions of this Act when using the data shall be found guilty of a class E felony and can be imprisoned up to five years, and/or fined up to $250,000.
The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data that are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism to the Attorney General. Any data obtained by the Attorney General for these purposes must be treated as confidential information, "consistent with such guidelines as the Attorney General, after consultation with the Secretary, shall issue to protect confidentiality." This amendment was incorporated into ESRA 2002. (For the full text of the law, see Appendix D).
Following the enactment of the Patriot Act, the 107th Congress enacted the E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) which requires that all individually identifiable information supplied by individuals or institutions to a federal agency for statistical purposes under a pledge of confidentiality must be kept confidential and may only be used for statistical purposes.1 Any willful disclosure of such information for nonstatistical purposes, without the informed consent of the respondent, is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000.
1 As amended by Federal Register, 62:35044-35050.