Skip Navigation
Forum Curriculum for Improving Education Data
NCES 2007-808
May 2007

Lesson: Security and Confidentiality


All Key Players1


This lesson is one of four workshops that serve as an introduction to building a culture of quality education data. All participants should complete all four workshops. In this workshop, participants will learn about the security component of quality data, specifically the Family Educational Records and Privacy Act (FERPA) and Health Insurance Portability and Access Act (HIPAA) regulations that govern school confidentiality issues.


  • Identify practices that compromise security.
  • Distinguish confidential and public student and staff information based on FERPA and HIPAA regulations.

Instructor Preparation

  • Familiarize yourself with the correct answers to the FERPA/HIPAA Quiz by thoroughly reading the FERPA/HIPAA Quiz Answer Key.
  • Make a copy of the FERPA/HIPAA Quiz Answer Key for you to refer to during the workshop.
  • Make a single copy of the following lesson resources (which can be found in the Lesson Resources column at the top of this page) for each participant:
    • FERPA/HIPAA Quiz
    • Guide to Confidentiality
    • Forum Guide to the Privacy of Student Information: A Resource for Schools
    • Health Records: FERPA and HIPAA
    • FERPA/HIPAA Quiz Answer Key
    • Examples of Best Practices Regarding Data Security

Essential Learnings

  • Rights for students and parents and requirements for local education agencies (LEAs) are many and complex under the Family Educational Records and Privacy Act (FERPA) and the Health Insurance Portability and Access Act (HIPAA).
  • When talking about data security, both the physical security of the data (preventing inappropriate taking of data) and confidentiality (protecting data to prevent the casual or deliberate imparting of private information through conversation or carelessness) are at issue.
  • Security and confidentiality issues arise with regard to paper records, electronic records, and conversations.
  • The arrangement of desks and computer screens and the ability to lock desk and file drawers are important factors in data security.
  • Directory information (that information published in a districtís directories) is normally not confidential. Parents have a right to define any of the normal directory information for their child as confidential.

1 Key players include board members, superintendents, principals, data stewards/coordinators, teachers, technology support staff, and office staff.