Statistical Standards Program
Publications & Products|Staff

Chapter 2: Licensing Procedures

Chapter Contents

2.1 What Data Are Licensed

Only Restricted-Use Data Are Licensed

When IES conducts surveys, the data collected sometimes include individually identifiable information, which is confidential and protected by law. 1

Restricted-use data is the term for survey data that contain individually identifiable information. Only restricted-use data are licensed. (Note: Public-use data are not licensed.)

The restricted-use data provided to the licensee and all information derived from those data, and all data resulting from merges, matches, or other uses of the data provided by IES with other data are subject to the License and are referred to in the License as "subject data."

Individually identifiable information includes, but is not limited to, personal data in the following categories:

  • education,
  • financial,
  • medical,
  • employment,
  • criminal,
  • personal identifiers (e.g., name, number, symbol),
  • other identifying particulars assigned to the individual (e.g., fingerprint, voiceprint, photograph), and
  • any data elements which alone or in combination can be used to identify an individual.

Available Restricted-Use Databases

The restricted-use databases that are available to organizations in the United States through these licensing procedures are listed at: NCES online catalogue.

Top

2.2 What is a License?

Three similar License documents are used to lend restricted-use data: Memorandum of Understanding, License, and Contract. All three are referred to as Licenses and, when signed, are equally binding on the licensees.

Memorandum of Understanding

The Memorandum of Understanding is used to provide data to federal agencies or offices, external to IES. A copy of the memorandum is in Appendix E.

License

The License is used to provide data to non-federal agencies or offices, including organizations working on analysis contracts with IES. Appendix F contains a copy of the License.

Contracts

When IES has a contract involving the collection of restricted-use data, the contract "boiler plate" includes the provisions of the License.

Content of License Documents

In brief, each of the three License types:

  • defines the information subject to this agreement,
  • specifies the individuals who may have access to subject data (PPO and professional/technical and support staff),
  • describes limitations of disclosure,
  • lists administrative requirements,
  • requires that publications based on the data be sent to IES prior to disseminating them to non-licensed individuals,
  • requires the organization to contact IES in case of (suspected) breaches of security,
  • requires the organization to agree to unannounced and unscheduled inspections,
  • reviews the security requirements for the maintenance of, and access to, subject data, and
  • describes penalties for violations.

Top

2.3 Who Needs a License Document

Virtually every organization needs a License document to authorize individual access to restricted-use data.

The type of organization determines the specific license document.

Matching Organizations to License Documents

Type of Organization License Document
Federal Agencies* Memorandum of Understanding
IES Staff Oath of office replaces Memorandum; staff must sign a form provided by the IES Data Security Office to obtain the data.
Non-Federal Agencies/Groups/Organizations License
State and Local Agencies License
Research Laboratories License
Data Collection Contractor
(to IES) 		License "Boiler Plate" in Contract
Subcontractor (to IES Contractor) License "Boiler Plate" in Contract
Survey Pre-Tests License "Boiler Plate" in Contract
Analysis Contractor License
* This includes other components of the Department of Education.

Restricted-Use Data and IES Staff

IES staff are subject to all of the obligations and restrictions protecting restricted-use data. Further, IES staff are not authorized to issue restricted-use data files.

  • Any in-house staff needing access to restricted-use data must request and obtain clearance through the IES Data Security Office.
  • Staff must sign a form provided by the IES Data Security Office to obtain the data.
  • Staff who have restricted-use data must keep it under lock and key. These data may not be stored on a laptop computer and computer output cannot be left out in the open when not in use. (See Chapter 3, Security Procedures, for full details.)
  • The data may not be removed from the office area.
  • These restricted-use data must be returned to the IES Data Security Office prior to the departure of an employee. IES staff should refer all requests for License documents, affidavits, or restricted-use data to the IES Data Security Office. These requests should not be handled by program staff.

Pre-test Monitoring

Staff perform pre-tests to review the data collection process and to test the validity of the survey instrument. Because respondent data are acquired to test the proposed survey design, the responses collected in this pre-test sampling may contain individually identifiable information and thus may be subject to restricted-use data security procedures.

The IES Contracting Office Representative (COR) who is responsible for conducting these pre-tests, must submit a written description of what is involved in the survey design review to the IES Data Security Office. The COR must also obtain an executed Affidavit of Nondisclosure from all persons outside IES who will review the survey design and will have access to these data. The COR will keep all original Affidavits of Nondisclosure in the project file and be able to produce them on request.

Contractors

An organization or individual performing work under contract must complete the licensing process unless the collection of restricted-use data is required to fulfill the terms of the contract. The conditions spelled out in the License are incorporated in the "boiler plate" of contracts that collect any personally identifiable information on behalf of IES

  • Sub-Contractors (to Contractors) are bound by the terms in the contractual agreement of the contractor.
  • Those terms include the provision that data cannot leave the licensed site. Sub-contractors needing to use data at a remote site must get their own separate Licenses.

A contractor who proposes to do independent research using the restricted-use data to perform work for IES must submit a formal, written request. If the purpose of the independent research is different from the purpose for using the data as stated in the contract, the contractor must follow the standard application process for obtaining a License (see Section 2.4).

Top

2.4 Applying for a License


Summary of Procedures

To qualify for and receive restricted-use data, applicants must submit all four types of documents:

The Formal Request will ask for specific items of information. This information will be collected through the IES electronic license application system at: http://nces.ed.gov/StatProg/instruct.asp.

After the initial online Formal Request has undergone a preliminary review and received a provisional approval to proceed from the IES Data Security Office, applicants are to prepare, complete and return the signed License, notarized Affidavits, and the Security Plan Form.

Mail all documents, signed by the Principal Project Officer (PPO) and Senior Official (SO) to the IES Data Security Office.

The IES Data Security Office staff will review the submitted documents for content and completeness.

  • In the online Formal Request, you must demonstrate that the proposed research project meets basic requirements of applicability to education research.
  • The Security Plan Form must be complete and must comply with the Security Procedures outlined in Chapter 3.
  • IES may request additional information regarding the proposed use of the data, the resources available to the researcher to perform the analysis, or other aspects of the project that are deemed necessary. All questions IES has about an organization's application must be resolved in writing prior to the formal approval of the License.

The License documents are only submitted to the IES front office for final approval when all required information has been received and the License application is complete.

The decision to grant a License is solely that of the Director or a designated Commissioner. The License approval becomes effective on the date of the Director's Commissioner’s signature.

Formal Request

The Formal Request will ask for specific items of information (see checklist below). Your information will be collected through the IES electronic license application system at: http://nces.ed.gov/StatProg/instruct.asp.

Formal Request Checklist
(1) The name, title, and contact information of the Principal Project Officer      
(2) The name, title, and contact information of the Senior Official  
(3) The name, title, and contact information of the System Security Officer  
(4) The title of the database(s) requested for access  
(5) A description of the statistical research project and how the restricted-use database will be used and justification for access  
(6) The names and titles of other persons who will use and access the data  
(7) The estimated loan period (not to exceed five years)  

The Formal Request requirements are described in more detail below:

(1) The name, title, and contact information of the Principal Project Officer who will oversee the daily operations. To qualify for and receive a restricted-use data License and the restricted-use data, academic applicants must have the rank of post-doctoral fellow or above to serve as the Principal Project Officer (PPO). Visiting professors or scholars cannot serve as a PPO. Applicants in research laboratories or analytic consulting firms must have the rank of research associate or above to serve in this role. (The PPO is the researcher in charge of the day-to-day operations involving the use of subject data and is responsible for liaising with the IES Data Security Office.)

(2) The name, title, and contact information of the Senior Official having the signatory authority to legally bind the organization to the provisions of the License contract.

(3) The name, title, and contact information of the Systems Security Officer who will oversee the security of the data. The PPO can also serve as the SSO.

(4) The title of the database(s) the organization wants to access.

(5) A description of the statistical research project. The description must fulfill the following conditions for each dataset requested:

  • describe the final research objective,
  • articulate specific research questions,
  • identify the specific variables or sets of variables to be used,
  • describe the statistical techniques to be used,
  • explain why the public-use version of the data is insufficient for your research needs,
  • describe the sector(s) of the community that will be served by the product, and
  • assure IES that the data will not be used for any administrative or regulatory purpose in addition to, or instead of, the statistical purpose described.

Note: The purpose of the research for which the data are requested must accord with the purpose for which the survey data were collected. Descriptions of those purposes are in Appendix H.

If an applicant requests access to subject data that are currently under an IES Contract/Task Order with the applicant, the applicant must provide:

  • the contract number, and
  • the name of the Contracting Office Technical Representative (COR).

(6) The names and titles of other persons who will be accessing the database. Generally, the staff is limited to a maximum of seven (7) persons. Exceptions to this limit may be authorized by the IES Data Security Office. Written documentation authorizing the exception must be obtained from IES. Please note that requests for additional data or amendments to an existing License will only be accepted from the PPO.

(7) The estimated loan period necessary for accessing the database. Loan periods are in one-year increments and may not exceed a five-year period. The loan period starts on the date that IES signs the License document.

License Document

The License document is a legally binding agreement or contract.

License Document Checklist
Review the appropriate License document      
Insert the name of the Agency or organization to be licensed in the appropriate blank(s)  
The Senior Official (or appropriate government official for an MOU) signs the License  
The Principal Project Officer signs the License  
Indicate loan period (not to exceed five years)  
Send the original signed License to the IES Data Security Office  

Affidavit of Nondisclosure

An Affidavit of Nondisclosure must be executed for each person who will have access to the data


Affidavit of Nondisclosure Checklist
Obtain a notarized Affidavit of Nondisclosure from each person who may come in contact with the subject data, as well as anyone other than  security/ or police or personnel who have key access to the secure project office. (For more information on this requirement, see Chapter 3.)      
Fill in all requested information on the Affidavit  
Send the original signed and notarized Affidavits of Nondisclosure to the IES Data Security Office  

Appendix G contains a copy of the Affidavit of Nondisclosure form.

In general, an individual who is not an IES employee and who wants access to licensed individually identifiable information must execute an Affidavit of Nondisclosure and submit it, through a licensed organization, to the IES Data Security Office. IES allows up to six (6) individuals per License to have access to the subject data.

The one-page Affidavit contains:

  • the name of the survey(s) to be accessed (see below),
  • an oath or affirmation not to disclose individually identifiable information to any person not similarly sworn,
  • the penalties for disclosure, and
  • the signature and imprint of a notary public.

Affidavits are "data-specific": they are only valid for the data listed on the form. I anticipate requesting future rounds of data collection for database include all data names and all subsequent followups that will be needed; for example, "the base year data and all subsequent followups."

Notarized documents cannot be amended by IES. To access any data data that were not listed on the notarized affidavit-including subsequent followup of a listed database, another affidavit must be executed. Each affidavit must be accompanied by a IES license user training certificate. (See Section 3.6, License User Training.)

Organizations must promptly notify IES of any changes in project staff. (See Section 2.6, Amending a License.)

Security Plan Form

The Security Plan Form contains the detailed procedures for protecting the subject data.

Security Plan Form Checklist
Review Chapter 3, Security Procedures      
Fill out the Security Plan Form found in Appendix J  
Send the original, signed Security Plan Form to the IES Data Security Office  

Restricted-use data must be kept secure at all times, meaning that the individually identifiable information is secure from unauthorized disclosure or modification. Security procedures are explained in detail in Chapter 3; the Security Plan Form can be found in Appendix J.

Note: In lieu of the Security Plan Form, federal agencies must submit documentation verifying that the agency has an approved Certification and Accreditation (C&A) for its IT systems. Federal agencies must adhere to the security requirements set forth in the MOU.

Receiving the Requested Materials

Once the License is approved by IES, the IES Data Security Office sends the licensee the data and other items.

Final Product Package Contents
The new licensee receives the License package that includes:      
  • a copy of the original License and Security Plan Form
  
 
  • Restricted-use database media materials and instructional materials to assist the project staff in the use of the data. The data CD-ROM includes a -
    (1) Warning/Restriction Label
    (2) Loan Expiration Date

 

The package is sent Restricted Delivery - Certified Mail to the licensee. All restricted-use data on CD-ROM are encrypted and require a passphrase to open. The PPO must email the IES Data Security Office with a the names of the encrypted files received in order to obtain the needed passphrases.

Note: Only one copy of a database in any format can be borrowed at a time. A licensee who has a copy of the database and wants a revised version must return the original via certified mail before the revised version will be sent. (See Section 2.6, Amending a License.)

Under no circumstances may the original or a duplicate of the database be removed or electronically communicated from the licensee's secure project office.

Top

2.5 Required Licensee Activity

The licensee is responsible for all terms and conditions in the License document, the Security Plan Form and related materials. (See the appropriate license document in Appendix E or F for full requirements.)

This section addresses three major administrative requirements:

  • Maintaining the License file, including copies of all executed Affidavits, and IES license user training certificates,
  • Submitting research publications for disclosure review prior to publication or access by non-licensed individuals, and
  • The licensee's responsibility to be ready for inspection at all times.

Maintaining the License File

The Principal Project Officer (PPO) is accountable for having all pertinent information listed below in a License file.

License File Checklist
The PPO shall maintain a License file in the secure project office where the licensee stores the restricted-use data. This file must contain the following items:      
  • copies of emails received from the IES Data Security Office
  
 
  • any amendments to the License document and related emails
  
  • a current list of all individuals who may have access to the data, along with copies of their notarized Affidavits of Nondisclosure and IES license user training certificates
 

Note: All project staff shall both READ and UNDERSTAND this material. All individuals who have access to the subject data must be fully aware of the required security requirements and procedures. (The Principal Project Officer is directly responsible for ensuring that all project staff understand and implement all of the required security procedures.)


Submitting Research Publications

If the licensee intends to publish or distribute any information product that uses the subject data where unauthorized persons will have access, then the licensee must submit an advance copy of the product to the IES Data Security Office via email to IES_DRR@ed.gov with the Disclosure Risk Review Template as an attachment prior to its publication or access by non-licensed individuals. The subject of the email and the Disclosure Risk Review Template shall be named DRR_LicenseNumber_Institution_AuthorName_YYMMDD.doc (e.g., DRR_123546_HortonU_Seuss_220204.doc). Upon final approval, the document will cleared by the IES Data Security Office, then licensee may distribute the document as desired.

Research Publication Checklist

The PPO shall forward a copy of each publication containing information based on restricted-use data to the IES Data Security Office for a disclosure review.

For all datasets produced by IES or NCES, licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricted-use data). For all other datasets, including administrative datasets produced by other agencies within the Department of Education (e.g. EDFacts, CRDC, etc.), disclosure avoidance standards will vary. The required disclosure avoidance measures for these non-IES datasets will be listed in a readme.txt file included with that specific dataset.

Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The licensee must not release the information product to any person not authorized to access the data until formally notified by IES that no potential disclosures were found. This review process usually takes 5 to 10 business days.

      

Passing On-Site Inspections

The License (Section IV.G) gives IES the right to conduct unannounced, unscheduled inspections of the licensee's secure project office to assess compliance with the provisions of the License, security procedures (see Chapter 3), and the licensee's submitted Security Plan Form. (The inspection procedures are described in Chapter 4, and a copy of the On-Site Inspection Guideline can be found in Appendix K.)

Any violation found during the inspection may subject the licensee to immediate revocation of the License by IES, or report of the violation to the U.S. Attorney.

On-site Inspection Checklist
When an on-site inspection is conducted, IES will provide formal notification of any violations of the required security procedures. If violations are reported, the licensee must take the following steps:      
  • Correct all identified security violations.
  
  • Notify IES in writing of the corrective measures.
 

Outside Requests for Data

The licensee shall notify IES immediately when he/she receives any legal, investigatory or other demand for IES subject data, including any request or requirement to provide subject data to a state agency or state contractor. The licensee is not authorized to give IES subject data to the requester.

Top

2.6 Amending a License

IES must be kept informed of any modifications in project operations throughout the span of the loan period. The most common changes to a License can be done online through the licensee's online License information page. All amendment requests must be initiated by the Principal Project Officer (or the Senior Official in the PPO's absence). A weblink to the licensee's online License information page may be obtained from the IES Data Security Office at the request of the PPO, or can be obtained through the system login page, at: https://nces.ed.gov/statprog/licenseapp/RequestEmail.asp

Seven types of amendments can be submitted via the online License system:
  • Add User,
  • Delete User,
  • Add Database,
  • Add new research project using restricted use data loaned to Licensee
  • Modify Security Plan,
  • Extend License, and
  • Close-out License

Note: Paper requests for these six amendments will not be accepted. These amendments, and the associated documentation required for each, are described in more detail below.

To submit the desired amendment, the PPO must click on the corresponding button on the licensee’s online License information page, and complete the information on the presented web pages. Once the amendment is submitted, the PPO will receive an automatically-generated email stating that the request has been received by the IES Data Security Office. Another email will be generated when the amendment has been approved by IES. The licensee is responsible for keeping copies of these emails in the License file as discussed in Section 2.5.

Note: The online License system will only process one amendment request at a time. If another amendment has already been requested, no other amendments to the License are possible until the pending amendment has been approved or canceled.

Add User Amendment

An "Add User" amendment is requested in order to add additional project staff to the License (multiple new users may be added in the same amendment request). After the "Add User" amendment has been submitted, the licensee must then send an original signed and notarized Affidavit of Nondisclosure and an IES license data user training certificate for each new user(s) to IES.

Once the affidavits and training certificates have been received, the amendment will be approved through the online system and the users will then be approved to access the restricted-use data. Until the "Add User" amendment has been approved, the new user(s) must not be allowed access to the subject data.

Add User Amendment Checklist
Notify IES of any additions to project staff via an "Add User" amendment request through the online License system.      
Send the notarized Affidavit(s) of Nondisclosure and training certificates for the additional users to IES.  
Retain copies of the emails from IES confirming the initial submission and final approval of the "Add User" amendment in the License file.  

Delete User Amendment

A "Delete User" amendment is requested in order to remove listed users from the License. This amendment requires no corresponding paperwork. The IES Data Security Office usually approves these amendments in one business day. After removal from the License, the departing individual(s) must not be permitted access to the restricted-use data.

Delete User Amendment Checklist
Notify IES of any reductions in project staff via a "Delete User" amendment request through the online License system.      
Mark Affidavits of removed users as "Void" in the License file.  
Retain copies of the emails from IES confirming the initial submission and final approval of the "Delete User" amendment in the License file.  

Add Database Amendment

A licensee may request access to another database in addition to what was agreed to in the original License, by means of an "Add Database" amendment through the online License system. This amendment must also be requested in order to obtain different waves of the database(s) requested under the original License.

Any new database requested must be covered by the Affidavits of Nondisclosure on file for each listed License user. If the requested database is covered, no paperwork is needed to complete the amendment process. If the Affidavit(s) does not cover the requested data, the licensee must send IES new original signed and notarized Affidavits for all listed users who will have access to the new database.

Each request for a different database (i.e., other than a followup to a previously loaned database) must be accompanied by a description of the statistical research project and how the restricted-use database will be used and justification for access. (See detailed Formal Request Requirements in Section 2.4).

Upon receipt of Affidavits that cover the requested data, the IES Data Security Office will approve the amendment. The new database will be sent Restricted Delivery—Certified Mail to the listed address of the PPO.

Add Database Amendment Checklist
Initiate the request for the additional database(s) via an "Add Database" amendment request through the online License system      
Complete all required fields for the amendment online.  
Send in newly signed and notarized Affidavits for all license users if current Affidavits do not cover the requested database(s). Copies of all new affidavits should be retained in the License file.  
Retain copies of the emails from IES confirming the initial submission and final approval of the "Add Database" amendment in the License file.  

Add a New Research Project

If the focus of your research changes from the project approved in your initial license request, an amendment must be filed describing the new research project. This amendment must include: the following:

  • describe the final research objective,
  • articulate specific research questions,
  • identify the specific variables or sets of variables to be used,
  • describe the statistical techniques to be used,
  • explain why the public-use version of the data is insufficient for your research needs,
  • describe the sector(s) of the community that will be served by the product, and
  • assure IES that the data will not be used for any administrative or regulatory purpose in addition to, or instead of, the statistical purpose described.

Modify Security Plan Amendment

As part of the License agreement, IES requires each licensee to designate a specific secure project office in which the restricted-use data will be used and stored. If the location of the secure project office is going to be changed, or an additional project office added to the License, the PPO must submit a "Modify Security Plan" amendment through the online License system before the relocation. The PPO must detail the new location and any changes to the established security procedures in the amendment request. The PPO must also send a completed and signed Security Plan Form with the new information to the IES Data Security Office for review before this amendment can be approved. The restricted-use data cannot be moved to the new location until the revised Security Plan Form has been approved by IES.

Note: If the secure project office must change locations temporarily (e.g. for remodeling or maintenance), and will return to the approved site within a short period of time, no "Modify Security Plan" is required. In this case, the PPO should email the IES Data Security Office with the following information: the temporary location of the secure project office, the expected duration of the relocation, and confirmation that all required security procedures will be followed at the new location. Information regarding the required security procedures may be found in Chapter 3.

Modify Security Plan Amendment Checklist
Inform the IES Data Security Office of a location change for the secure project office via a "Modify Security Plan" amendment through the online License system. This amendment must be submitted and approved before the location of the restricted-use data is changed.      
Complete all required fields for the amendment online, detailing the new address and other pertinent information.  
Send in a completed and signed Security Plan Form detailing the new information.  
Retain copies of the emails from IES confirming the initial submission and final approval of the "Modify Security Plan" amendment in the License file.  

Extend License Amendment

When the loan period of the original License agreement is completed, licensees have the option of extending the loan period for up to five years, using an "Extend License" amendment request through the online License system. The licensee must meet all current licensing requirements in order to qualify for the extension. New license data user training certificates must be submitted for each authorized user on the license. Any obsolete paperwork must be updated, and all current security standards required by IES at the time of the extension must be adopted by the licensee before the License extension is approved.

Upon receipt of the amendment request, the IES Data Security Office will review the License file to determine if any information or paperwork needs to be updated. An email will then be sent to the licensee detailing any further steps that must be taken (if any) to complete the extension request. If updated paperwork is required, the extension request will not be approved until the new paperwork is received and approved by the IES Data Security Office.

The "Extend License" amendment request may be submitted up to one year before the expiration of the loan period, and at any point thereafter. Note: Once the loan period for the License has ended, a licensee will only be able to extend or close-out their License; no other amendments will be accepted for an expired License.

Extend License Amendment Checklist
Submit the "Extend License" amendment through the online License system within one year of the expiration of the License loan period.      
Complete and sign any updated paperwork requested by the IES Data Security Office and send the paperwork to the IES Data Security Office  
Retain copies of the emails from IES confirming the initial submission and final approval of the "Extend License" amendment in the License file, along with copies of all updated paperwork.  

Close-out License Amendment

When the loan period is complete and no extension is desired, or the licensee does not need the restricted-use data any longer, a "Close-out License" amendment must be submitted through the online License system. After the request has been submitted online, the licensee must return all restricted-use data and associated materials to IES, along with a completed and signed close-out certification form. A copy of the close-out certification form may be found in Appendix M.

On the close-out certification form, the PPO must list all databases being returned, and confirm that all restricted-use data have been wiped from the computer, that all backup copies and any restricted-use data printouts have been destroyed, and that any remaining documents or publications using the restricted-use data will be sent to the IES Data Security Office for disclosure review prior to distribution to non-licensed individuals (the disclosure review process is described in Section 2.5). The form must also be signed by a second witness, confirming the restricted-use data have been deleted or destroyed.

This completed and signed form must be sent to IES along with all restricted-use data materials obtained under the License, and a tracking number must be used on the shipment. Unless the restricted-use data materials and the completed close-out form are both returned to the IES Data Security Office, the License cannot be closed.

.

Once all restricted-use data and the close-out certification form have been received, the "Close-out License" amendment request will be approved by IES and the licensee will receive an email confirmation that the License has been closed. Note: The IES Data Security Office reserves the right to conduct a close-out inspection of the project site after the License has been closed in order to ensure that all required close-out procedures have been followed.

Close-out License Amendment Checklist
Request a “Close-out License” amendment online through the online License system if the licensee no longer needs the restricted-use data or if the loan period has expired.      
Destroy all hard copy versions of subject data and backup copies. Overwrite the subject data on computer used in analysis (all data must be totally obliterated so that the data cannot be recovered by any means).  
Return the original subject data and a completed close-out certification form to the IES Data Security Office using a tracking number on the shipment.  
Submit any remaining documents or publications to the IES Data Security Office for disclosure review prior to disseminating them to non-licensed individuals.  

Changes to the License that are not covered by the six online amendments should only be initiated by the PPO through an email to the IES Data Security Office. Such changes might include changing the PPO, SO or SSO, canceling a pending online amendment, or requesting new copies of databases already obtained under the License if original copies are found to be defective.

All amendment requests and changes to the License must originate from the PPO.

2.7 Applicant/Licensee Record

The following checklist summarizes the Licensing Procedures for Restricted-Use Data.

ACTIVITY
REVIEW REQUIRED PROCEDURES  
Obtain a copy of the Restricted-Use Data Procedures Manual.      
    Review the manual.
 
APPLYING FOR A LICENSE  
Submit the following to the IES Data Security Office through the electronic license application system at: http://nces.ed.gov/StatProg/instruct.asp -  
Formal Request:
  
      (1) Contact information of the Principal Project Officer (PPO)
 
      (2) Contact information of the Senior Official (SO)
 
      (3) Contact information of the Systems Security Officer (SSO)
 
      (4) Title of requested database(s)
 
      (5) Description of the statistical research project for which the restricted-use data are needed; explanation of why the restricted-use data are needed (e.g., instead of the public data version); explanation of how the statistical research project is consistent with the specific purpose for which the study data was collected
 
      (6) Names and titles of other persons who will use and access the data
 
      (7) Estimated loan period (not to exceed five years)
 
Paperwork
  
Send the following three items to the IES Data Security Program.  
 
 
      (a) Ensure personnel who will execute Affidavits read and understand the License contract and the security procedures.
 
      (b) Complete, sign, and notarize the Affidavits of Nondisclosure for all project personnel, including support staff.
 
      (c) All project personnel must complete the IES data user trainning and print each data user's license data user triaing certificate,
 
    3) Security Plan Form - Complete and sign the Security Plan Form found in Appendix J. Add in any additional protections due to local conditions.
 
REQUIRED LICENSEE ACTIVITY  
 
    Have on file at the licensed secure project office, copies of:
 
      (1) Emails received from the IES Data Security Office,
 
 
      (3) Amendments to the License and all associated request/approval emails,
 
 
 
      Instruct all project staff about what the License file is and where it is kept.
 
 
      (1) Forward to IES for review copies of each publication or document before it is distributed to non-licensed individuals. IES will formally notify the licensee if the publication is cleared for dissemination (i.e., no disclosure risks were found).
 
      (2) A final copy of each publication containing information based on restricted-use data must be forwarded to IES.
 
 
      (1) After conducting an on-site inspection, IES will provide formal notification of any violations found
 
      (2) All identified security violations must be corrected.
 
      (3) Licensee must notify IES in writing of the corrective measures.
 
AMENDING A LICENSE  
Licensee must notify IES if there will be any changes to the conditions of the License. The following six amendments must be initiated through the online License system:  
    (1) Add User—After submitting online request, send in original signed and notarized Affidavits of Nondisclosure for new user(s)
 
    (2) Delete User—After submitting online request, IES will approve request
 
    (3) Add Database—After submitting online request, send in new affidavits for all users if current affidavits do not cover requested data
 
    (4) (4) Add a New Research Project— If the focus of your research changes from the project approved in your initial license request, an amendment must be filed describing the new research project
 
    (6) Extend License—After submitting online request, send in any updated paperwork requested by the IES Data Security Office
 
    (7) Close-out License—After submitting the online request, send completed close-out certification form and all restricted-use data materials to the IES Data Security Office, using a tracking number on the shipment, destroy all hard copies of restricted-use data, purge all subject data from all computers used for data analysis, and send any remaining documents using subject data to the IES Data Security Office for a disclosure review.
 
Any other changes to the License must be requested via email by the PPO.  

1 Because federal laws cannot be enforced outside of the United States, restricted-use data cannot leave the United States.

Top