Skip Navigation
The Forum Guide to Data Ethics
NCES 2010-801
March 2010

3. Be aware of applicable statutes, regulations, practices, and ethical standards governing data collection and reporting

The local business club had a reputation for doing good works throughout the community, so the district's data manager wasn't surprised when the superintendent told him to pitch in with the organization's latest charitable activity. Club members had asked for student socioeconomic data to help identify families in need so that they could offer financial help with books, school snacks, extracurricular activities, and other worthy initiatives. The data manager wanted to support these laudable efforts, but knew that he couldn't disclose the confidential data. When he informed the superintendent, his boss asked him to bend the rules this one time, "You know they're trying to do something good here. I really don't want us turning away people who want to help our neediest kids." The data manager agreed that everyone's intentions were pure, so he asked if his boss might consider an opt-in program, whereby all families would be notified of the program and invited to sign up if they were interested. The superintendent agreed that it was a fair idea, but noted that the yield on opt-in programs was usually low. "Can't we just bend the rules this one time to try to do a good thing?" The data manager knew that he faced quite a dilemma—doing good versus doing right.
Ignorance is unethical. Good ethics demand that educators make themselves aware of changing statutes, regulations, practices, and standards.

The temptation to break the rules arises now and again. And ignorance of a legal requirement does not cancel the ethical obligation to meet it. Good ethics require that educators make themselves aware of existing and emerging statutes, regulations, practices, and ethical standards regarding data collection and data reporting. Anything short of staying up-to-date is neither a reasonable data practice nor an acceptable management option.

Organizations should make sure that staff and volunteers are familiar, to the extent their roles require, with any laws and policies governing the collection and reporting of data. Staff should be aware of any circumstances under which exceptions can be made. For example, can confidential information be shared with authorities if a student is in danger? When does a situation warrant disclosure?

Laws can change over time. Education organizations and the people who work with them should know their responsibilities regarding the protection of student data under the Family Education Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and the Health Insurance Portability and Accountability Act (HIPAA). (See appendix D for more information on FERPA.)

Everyone who collects, handles, or reports data on individuals has legal and ethical responsibilities for this information. Organizations should provide training on these responsibilities to teachers, data clerks, and volunteers, among others. Everyone should know the district's policy on releasing student directory information and how to respond to requests for confidential information. The federal laws protecting staff data are not as stringent as those governing student records. Organizations should determine what state laws, and state or local policies, are applicable to staff data and information about parents or other community members. Which staff data are confidential, and which are public record? If data confidentiality is requested (or required) can its guarantee be honored?

Finally, the organization should be sure that everyone who is part of it is aware of who has the right to access different data. Teachers, counselors, administrators, support staff, and volunteers do not all have the same right of access to data. Knowing what information is private (not mine to know) is as important as knowing what information is confidential (not mine to share).

Recommended Practices and Training

These and other free Forum best practice guides are described in appendix A and are available for downloading, printing, or ordering here
  1. Encourage leadership within the organizational hierarchy (e.g., federal, state, and local education agencies, including board members) to know and effectively communicate current statutes, regulations, guidelines, accepted practices, and appropriate behavior regarding data access and disclosure to all employees.
  2. Give educators access, in some reasonable format, to professional publications, instructional guides, trade journals, and other development materials necessary to stay abreast of relevant statutes, regulations, guidelines, accepted practices, and ethical standards.
  3. Engage in professional development and staff training on relevant statutes, regulations, guidelines, accepted practices, and ethical standards concerning privacy and confidentiality. This training should be customized to meet the needs of different job responsibilities within the organization. Under most circumstances, this includes staff education about best practices for maintaining the privacy of individual student and staff information, including provisions of the federal Family Educational Rights and Privacy Act and similar state and local statutes (see the Forum Guide to the Privacy of Student Information: A Resource for Schools; and the Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies.
  4. Schedule periodic reviews to evaluate the effectiveness of communications and training efforts, as well as staff compliance with applicable statutes, regulations, guidelines, accepted practices, and ethical standards. Ensure that staff responsible for supervising the employees who perform data collection and reporting are, themselves, cognizant of state-of-the-art education data practices.
  5. Train all data users in a routine and ongoing manner about data management, use, privacy, and exchange to ensure that they are aware of changing expectations and standards. Customize training efforts by job type as appropriate for communicating concepts and translating instruction into practice. One approach is to discuss the organization's rules about data disclosure and ask training participants to give examples of how each rule applies to their work. Develop several scenarios involving data confidentiality and ask the participants to talk about how they would handle them. For example, situations might include someone identifying himself as a prospective employer, who telephones and asks for information from a student's academic record; an in–service training session in which the presenter's visuals include names and other information about real students; talking with a volunteer who you have been informed divulged information about a student's health condition; or talking with a non-custodial parent who wants a copy of his or her child's grades. In order to encourage open discussion, do not ask training participants to report on instances in which they themselves have broken confidentiality regulations.