Appendix F: License
LICENSE FOR THE USE OF
INDIVIDUALLY IDENTIFIABLE INFORMATION
THE EDUCATION SCIENCES REFORM ACT OF 2002
AND PROTECTED, AS APPLICABLE, UNDER
THE E-GOVERNMENT ACT OF 2002, TITLE V
THE CONFIDENTIAL INFORMATION PROTECTION AND STATISTICAL
EFFICIENCY ACT OF 2002,
THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT
AND THE PRIVACY ACT OF 1974
WHEREAS, the Institute of Education Sciences (IES) of the United States Department of Education has collected and maintains individually identifiable information, the confidentiality of which is protected by section 183 of the Education Sciences Reform Act of 2002 (ESRA) (PL 107-279) (20 U.S.C. 9573), and, as applicable, by the Privacy Act of 1974 (5 U.S.C. 552a); the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g); and Title V, subtitle A of the E-Government Act of 2002 (CIPSEA) (PL 107-347) (44 U.S.C. 3501 note); and
WHEREAS, IES wishes to make the data available for statistical, research, or evaluation purposes to requestors qualified and capable of research and analysis consistent with the statistical, research, or evaluation purposes for which the data were provided or are maintained, but only if the data are used and protected in accordance with the terms and conditions stated in this license (License), upon receipt of such assurance of qualification and capability, it is hereby agreed between
(Insert the name of the agency or organization to be licensed)
hereinafter referred to as the "Licensee", and IES that:
I. INFORMATION SUBJECT TO THIS AGREEMENT
- All data containing individually identifiable information about students, their families, and their schools maintained by IES under section 183 of the Education Sciences Reform Act of 2002, that are provided to the Licensee and all information derived from those data, and all data resulting from merges, matches, or other uses of the data provided by IES with other data are subject to this License and are referred to in this License as subject data.
- Subject data under this License may be in the form of CD-ROMs, electronic data, hard copy, etc. The Licensee may only use the subject data in a manner and to a purpose consistent with:
- The statistical, research, or evaluation purpose for which the data are maintained. All subject data that include individually identifiable information are protected under the Privacy Act, ESRA, and/or CIPSEA and may be used only for statistical, research, or evaluation purposes consistent with purposes for which the data were collected and /or are maintained (Licensee's description of the research and analysis which is planned is attached and made a part of this License - Attachment No. 1.);
- Subject data that includes personally identifiable information from students’ education records are protected under FERPA and may only be used for the evaluation of Federally-supported education programs or for conducting studies, for, or on behalf of, educational agencies or institutions to improve instruction. (Licensee's description of the evaluation or study which is planned is attached and made a part of this License - Attachment No. 1.);
- The limitations imposed under the provisions of this License; and
- Section 183 of the Education Sciences Reform Act of 2002 (20 U.S.C. 9573); and, as applicable, Title V, subtitle A of the E-Government Act of 2002 (44 U.S.C. 3501 note); the Privacy Act of 1974 (5 U.S.C. 552a), and the Family Educational Rights Protection Act (20 U.S.C. 1232g) which are attached to and made a part of this License (Attachment No. 2.)
II. INDIVIDUALS WHO MAY HAVE ACCESS TO SUBJECT DATA
- There are four categories of individuals that the Licensee may authorize to have access to subject data. The four categories of individuals are as follows:
- The Principal Project Officer (PPO) is the most senior officer in charge of the day-to-day operations involving the use of subject data and is responsible for liaison with IES.
- Professional/Technical staff (P/T) conduct the research for which this License was issued.
- Support staff includes secretaries, typists, computer technicians, messengers, etc. Licensee may disclose subject data to support staff who come in contact with the subject data in course of their duties only to the extent necessary to support the research under this License.
- The System Security Officer (SSO) is responsible for maintaining the day-to-day security of the licensed data, including the implementation, maintenance, and periodic update of the Security Plan to protect the data in strict compliance with statutory and regulatory requirements.
- Licensee may disclose subject data to only to only seven (7) staff, including the PPO, SSO, P/TS, and support staff, unless IES provides written authorization for a larger number of P/TS.
III. LIMITATIONS ON DISCLOSURE
- Licensee shall not use or disclose subject data for any administrative purposes nor may the subject data be applied in any manner to change the status, condition, or public perception of any individual regarding whom subject data is maintained. (Note: Federal Law pre-empts any State law that might require the reporting or dissemination of these data for any purpose other than the statistical, research, and evaluation purposes for which they were collected and/or are maintained.)
- Licensee shall not disclose subject data or other information containing, or derived from, subject data at fine levels of geography, such as school district, institution, or school, to anyone other than IES employees working in the course of their employment or individuals for whom access is authorized under this License agreement. Licensee may make disclosures of subject data to individuals other than those specified in this License only if those individuals have executed an Affidavit of Nondisclosure and the Licensee has obtained advance written approval from the IES Data Security Office.
- Licensee shall not make any publication or other release of subject data listing information regarding individuals or specific educational institutions even if the individual respondent identifiers have been removed.
- Licensee may publish the results, analysis, or other information developed as a result of any research based on subject data made available under this License only in summary or statistical form so that the identity of individuals or specific educational institutions contained in the subject data is not revealed.
IV. ADMINISTRATIVE REQUIREMENTS
- The research conducted under this License and the disclosure of subject data needed for that research must be consistent with the statistical, research, or evaluation purpose for which the data were supplied. The subject data may not be used to identify individuals or specific educational institutions for recontacting unless Licensee has obtained advance written approval from the IES Data Security Office.
- Execution of Affidavits of Nondisclosure.
- Licensee shall provide a copy of this agreement, together with the Security Plan (Attachment No. 3) to the SSO and to each P/T and support staff person of the Licensee who will have access to subject data and shall require each of those individuals to execute an Affidavit of Nondisclosure (Attachment No. 4).
- The Licensee must ensure that each individual who executes an Affidavit of Nondisclosure reads and understands the materials provided to her or him before executing the Affidavit.
- Licensee shall ensure that each Affidavit of Nondisclosure is notarized upon execution.
- Licensee may not permit any individual specified in paragraph II.A. to have access to subject data until the procedures in paragraphs IV.B.1. through 3 of this License are fulfilled for that individual.
- Licensee shall promptly, after the execution of each Affidavit, send the original Affidavit to the IES Data Security Office and shall maintain a copy of each Affidavit at the Licensee's secured facility protected under this License.
- Notification regarding authorized individuals to IES.
- Licensee shall promptly notify the IES Data Security Office when the SSO, or any P/T or support staff who has been authorized to have access to subject data no longer has access to those data.
- Publications made available to IES.
- Licensee shall provide the IES Data security Office a copy of each publication containing information based on subject data or other data product based on subject data before they are made available to individuals who have not executed an Affidavit of Nondisclosure.
- Because the publication or other release of research results could raise reasonable questions regarding disclosure of individually identifiable information contained in subject data, copies of the proposed publication or release must be provided to the IES Data Security Office before that disclosure is made so that IES may advise whether the disclosure is authorized under this License and the provisions of section 183 of the Education Sciences Reform Act of 2002; Title V, subtitle A of the E-Government Act of 2002; the Privacy Act of 1974; and the Family Educational Rights and Privacy Act. Licensee agrees not to publish or otherwise release research results provided to IES if IES advises that such disclosure is not authorized.
- Licensee shall notify the IES Data Security Office immediately upon receipt of any legal, investigatory, or other demand for disclosure of subject data.
- Licensee shall notify the IES Data Security Office immediately upon discovering any breach or suspected breach of security or any disclosure of subject data to unauthorized parties or agencies.
- Licensee agrees that representatives of IES have the right to make unannounced and unscheduled inspections of the Licensee's facilities, including any associated computer center, to evaluate compliance with the terms of this License and the requirements of section 183 of the Education Sciences Reform Act of 2002; Title V, subtitle A of the E-Government Act of 2002; the Privacy Act of 1974; and the Family Educational Rights and Privacy Act.
V. SECURITY REQUIREMENTS
- Maintenance of, and access to, subject data.
- Licensee shall retain the original version of the subject data at a single location and may make no copy or extract of the subject data available to anyone except the SSO or a P/T staff member as necessary for the purpose of the statistical research for which the subject data were made available to the Licensee.
- Licensee shall maintain subject data (whether maintained on a personal computer or on printed or other material) in a space that is limited to access by the PPO, SSO, and authorized P/T staff.
- Licensee shall ensure that access to subject data maintained in computer memory is controlled by password protection. Licensee shall maintain all print-outs, CD-ROMS, personal computers with subject data on hard disks, or other physical products containing individually identifiable information derived from subject data in locked cabinets, file drawers, or other secure locations when not in use.
- Licensee shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of subject data.
- Licensee shall establish security procedures to ensure that subject data cannot be used or taken by unauthorized individuals.
- Licensee shall not permit removal of any subject data from the limited access space protected under the provisions of this License as required in the attached Security Plan (Attachment No. 3.), without first notifying, and obtaining written approval from, IES.
- Retention of subject data.
Licensee shall return to the IES Data Security Office all subject data, or destroy those data under IES supervision or by approved IES procedures when the statistical analysis, research, or evaluation that is the subject of this agreement has been completed or this License terminates, whichever occurs first. Licensee, as part of its responsibilities discussed herein, agrees to submit a completed Close-out Certification Form to the IES Data Security Office.
- Compliance with established security procedures.
Licensee shall comply with the security procedures described in the Security Plan (Attachment No. 3 to this License).
- Any violation of the terms and conditions of this License may subject the Licensee to immediate revocation of the License by IES.
- The IES official responsible for liaison with the Licensee shall initiate revocation of this License by written notice to Licensee indicating the factual basis and grounds for revocation.
- Upon receipt of the notice specified in paragraph VI.A.1 of this License, the Licensee has thirty (30) days to submit written argument and evidence to the Director of IES indicating why the License should not be revoked.
- The Director of IES shall decide whether to revoke the License based solely on the information contained in the notice to the Licensee and the Licensee's response and shall provide written notice of the decision to the Licensee within forty-five (45) days after receipt of Licensee's response. The Director of IES may extend this time period for good cause.
- Any violation of this License may also be a violation of Federal criminal law under the Privacy Act of 1974 (5 U.S.C. 552a(i)); section 183 of the Education Sciences Reform Act of 2002 (20 U.S.C. 9573(d)(2); and/or Title V, subtitle A of the E-Government Act of 2002. Alleged violations under section 183 of the Education Sciences Reform Act of 2002 and Title V, subtitle A of the E-Government Act of 2002 are subject to prosecution by the Offices of the United States Attorney. The penalty for violation of section 183 of the Education Sciences Reform Act of 2002 and Title V, subtitle A of the E-Government Act of 2002, is a fine of not more than $250,000 and imprisonment for a period of not more than five years.
VII. PROCESSING OF THIS LICENSE
- The term of this License shall be for ____ years. If, before the expiration of this License, the Director of IES establishes regulatory standards for the issuance and content of Licenses, the Licensee agrees to comply with the regulatory standards.
- This License may be amended, extended, or terminated by mutual written agreement between the Licensee and the Director of IES. Any amendment must be signed by a Senior Official specified in paragraph VII.C. of this License, PPO, and the Director of IES and is effective on the date that all required parties have signed the amendment.
- The Senior Official (SO), who cannot be the same individual designated as the PPO, having the legal authority to bind the organization to the terms of the License, shall sign this License below. The SO certifies, by his/her signature, that -
- The organization has the authority to undertake the commitments in this License;
- The SO has the legal authority to bind the organization to the provisions of this License; and
- The PPO is the most senior subject matter officer for the Licensee who has the authority to manage the day-to-day statistical, research, or evaluation operations of the Licensee.
Signature of the Senior Official Date
Type/Print Name of Senior Official
Title:______________________________ Telephone: (____)_______
- The individual described in paragraph II.A1. as the PPO shall sign this License below. If the SO also acts as the chief statistical officer for the Licensee; viz. as the PPO, the SO shall likewise sign under this paragraph as well as having signed under paragraph VII.C.
Signature of the Principal Project Officer Date
Type/Print Name of the Principal Project Officer
Title:______________________________ Telephone: (____)_______
- The Director of the Institute of Education Sciences or Designee issues this License to
______________________________________________. The License is effective as of the date of the Director of IES or Designee's signature below, or such other period specified in the Licensee's request for the License.
Signature of Director of IES or Designee
Type/Print Name of Director of IES or Designee
IES License Control Number: ________________________________