In some cases, researchers who are not employed by the agency or school may be authorized to conduct data processing or research and evaluation studies through contractual arrangements. If these efforts are initiated by and performed on behalf of the agency or school, researchers may be considered school officials who have a legitimate educational interest. These situations were discussed in section 4. However, researchers outside the agency or school often request individual information (which may or may not be personally identifiable) for their own research agendas. More often than not, the requested information includes more than one data item from the education records or student database. These requests should be handled on a case-by-case basis. The written agency or school policy should include criteria for considering such requests, such as:
The NCES Statistical Standards, last updated by the National Center for Education Statistics (NCES) in September 2002, includes a section on maintaining confidentiality during data processing. This section includes the standards and procedures to which NCES staff and contractors must adhere in order to protect the confidentiality of personally identifiable information. State and district officials may consider these standards in developing their own procedures and requirements. Exhibit 6–3 includes these standards.
In general, the release of data to researchers outside the agency should be considered as a loan of data (i.e., recipients do not have ownership of the data). Agencies or schools could request that these data be returned or copies destroyed when the researchers complete their work.
Before considering these data requests, agencies should establish written guidelines and procedures to allow the on-site access or off-site loan of personally identifiable data by appropriate individuals or organizations. Last updated in 2000, NCES published a manual called Restricted-Use Data Procedures Manual to ensure the implementation of proper procedures before releasing any of its data sets. The following items, adapted from this manual, could be included in an agency’s policies and procedures regarding the loan of data:
Organizations that intend to obtain access to personally identifiable data could be required to submit a formal written application on the organization’s letterhead that would include:
In addition, the organizations requesting access or loan of data should submit a security plan addressing all applicable security procedures. Those procedures may include:
Agencies must proceed with caution before releasing portions of databases containing individual education records since these can include personally identifiable information. Under most cases, the release of database information with personally identifiable information is limited by law. In these cases, if a request for individual records is approved, agency or school staff should extract only the data approved for release.
Before a data set is released across agencies or to researchers or research institutions, appropriate agreements must be signed to clearly state that, in the minimum:
Individuals employed by the agencies who are authorized and who will have access to the individually identifiable information also could be required to sign an affidavit of nondisclosure. Exhibit 6–4 contains a sample form.
In most cases, information indicating that an education record has been released must be documented in the record and retained there until the education record is destroyed.