Skip Navigation
Statistical Standards Program

Chapter 1: Laws

Chapter Contents

1.1 Basic Statutes

The protection of survey databases that contain individually identifiable information is founded on the following statutes:


1.2 Privacy Act of 1974

The Privacy Act of 1974 states that federal agencies are required "to collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures…that adequate safeguards are provided to prevent misuse of such information."

To do this, the law protects the privacy of personal data maintained by the federal government. It imposes numerous requirements upon federal agencies to safeguard the confidentiality and integrity of personal data, and puts limits on the use of the data. (For the full text of the law, see Appendix C.)

Privacy Standards

Under the direction of the Office of Management and Budget, federal agencies issue policies, standards, and guidelines for protecting personal data under this law.

Computer Security Guideline

A key standard for this law is the Federal Information Processing Standard Publication (FIPSPUB) 41, Computer Security Guidelines for Implementing the Privacy Act of 1974. FIPSPUB 41 provides guidance to ensure that government-provided individually identifiable information is protected in accordance with federal statutes and regulations.


1.3 E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA)

The law is enacted to "provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." FISMA requires each agency to develop, document, and implement an agencywide information security program "providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency."


1.4 Education Sciences Reform Act of 2002

The Education Sciences Reform Act of 2002 (ESRA 2002) authorizes the Institute of Education Sciences (IES) to collect and disseminate information about education in the United States. Collection is most often done through surveys. This Act, which incorporates and expands upon the Privacy Act of 1974, requires strict procedures to ensure the privacy of individual respondents. and to protect the confidentiality of the data they provide.

This Act replaces the National Education Statistics Act of 1994 (NESA 1994). (For the full text of the law, see Appendix D.)

Confidentiality Standards

Individually identifiable information about students, their families, and their schools cannot be revealed. No person may:

  • use any individually identifiable information for any purpose other than a statistical purpose, except in the case of terrorism (see USA Patriot Act below);
  • make any publication whereby the data furnished by any particular person can be identified; or
  • permit anyone other than the individuals authorized by the IES Director to examine the individual reports.

The Act requires IES to develop and enforce standards to protect the confidentiality of students, their families, and their schools in the collection, reporting, and publication of data. The IES confidentiality statute is found in Public Law 107-279, section 183 (or as codified in 20 U.S.C. 9573).


Anyone who violates the confidentiality provisions of this Act when using the data shall be found guilty of a class E felony and can be imprisoned up to five years, and/or fined up to $250,000.


1.5 USA Patriot Act of 2001

The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data to the Attorney General that when the data are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism. Any data obtained by the Attorney General for these purposes must be treated as confidential information, "consistent with such guidelines as the Attorney General, after consultation with the Secretary, shall issue to protect confidentiality." This amendment was incorporated into ESRA 2002. (For the full text of the law, see Appendix D).


1.6 Foundations of Evidence-Based Policymaking Act of 2018, Title Title III, Part B, Confidential Information Protection

The E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) requires that all individually identifiable information supplied by individuals or institutions to a federal agency for statistical purposes under a pledge of confidentiality must be kept confidential and may only be used for statistical purposes.1 Under CIP, any ny willful disclosure of such information for nonstatistical purposes, any willful disclosure of such information for nonstatistical purposes, without the informed consent of the respondent, is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000.

In 2018, Congress enacted the Foundations of Evidence-Based Policymaking Act. As it relates to Confidential Information Protection, this 2018 Act transferred the Confidential Information (and Statistical Efficiency) Act (CIPSEA) from the 2002 E-Government Act to the Foundations of Evidence-Based Policymaking Act of 2018 and codified CIPSEA in a new subchapter III, of chapter 35 of title 44, United States Code. The Class E felony penalties for any willful disclosure of confidential information are unchanged.

1 As amended by Federal Register, 62:35044-35050.