- Should You Release De-identified Data?
- January 1, 2018
If you closely read contracts for technology products and services your district uses, you will frequently see provisions in the contract regarding who owns the data within the technology application. “What data?” you ask. For example, you may have contracted with a provider to operate cloud- or Internet-based services for your student information system (SIS) or your special education data. These online services are just giant databases where you store all the information you once would have kept in dozens of filing cabinets. You can now enter into the database all the sensitive and personal information about students that you traditionally kept under lock and key. All that information is considered “personally identifiable information,” or PII, about each student. That PII also constitutes “educational records” about the student, and is information that is protected by the Family Educational Rights and Privacy Act (FERPA).
The vendors of the services you contract for are very interested in your district’s data. Data are a valuable commodity, and an online database provider can get a significant payback by selling that data to other vendors who are interested in the marketing possibilities of the data or by your vendor using your data to develop new products themselves. FERPA has a few seemingly contradictory provisions that address re-use of PII.
34 CFR 99.33(a)(2) states that:
The officers, employees, and agents of a party that receives information under paragraph (a)(1) of this section may use the information, but only for the purposes for which the disclosure was made.
Paragraph (a)(1) is the provision that allows a district to put its data in a database controlled by an outside vendor only if the outside vendor does not redisclose the information without permission of the parent or adult student. So in a nutshell, the district can give PII to a vendor for a school purpose, but the vendor may not redisclose (sell, transfer, etc.) that data or use it for purposes other than the one the school intended. In that case, the database vendor is considered a “school official” in its use of the records, but only for the uses that the school contracted and if the school oversees the vendor’s use of the PII. 32 CFR 99.31(a)(1)(i)(B).
34 CFR 99.31(b) discusses de-identified data:
(b)(1) De-identified records and information. An educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by §99.30 after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information.
(2) An educational agency or institution, or a party that has received education records or information from education records under this part, may release de-identified student level data from education records for the purpose of education research by attaching a code to each record that may allow the recipient to match information received from the same source, provided that-
(i) An educational agency or institution or other party that releases de-identified data under paragraph (b)(2) of this section does not disclose any information about how it generates and assigns a record code, or that would allow a recipient to identify a student based on a record code;
(ii) The record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and
(iii) The record code is not based on a student's social security number or other personal information.
This section might seem to allow districts to agree in contracts to permit vendors to harvest student data stripped of identifying information. But even a release of limited data such as birthdate and school grade, when matched against other databases from possibly other sources, can be combined to identify a student with almost virtual certainty, therefore violating 34 CFR 99.31(b)(1). The Electronic Privacy Information Center (epic.org) reports that with just three census data points (birth date, sex, and zip code) a researcher was able to re-identify 87% of the United States population! EPIC, The Process of Re-Identification, available at: https://epic.org/privacy/reidentification/#process. Imagine the ability to re-identify student data if a researcher had school grade, courses taken, and zip code and matched that data with directory information available from a Public Information Act request. Certainly this would meet the prohibition on providing enough data to be able to match students up with other publicly available information. 34 CFR 99.31(b)(1).
A better possibility for compromise with a vendor could be allowing anonymized data. De-identified data includes record numbers or other unique identifiers that can be used to re-connect data to its original format; anonymized data has had those unique identifiers removed. Another possibility (according to the Privacy Technical Assistance Center of the US Department of Education) is to “blur” the data, reducing the precision of data, such as giving percentile ranges or rounded numbers rather than precise scores for a given student. Aggregated data might serve the same purpose as it has no unique identifiers linked to individual students.
If the contract you are considering does require the district to permit release of de-identified data, per 34 CFR 99.31(b)(1) the vendor is required to make a reasonable determination that the data cannot be re-identified through “single or multiple releases” and must take into account “other reasonably available information” such as publicly available data or even purchased database access. Before signing the contract, however, remember that FERPA applies to the school district, not the vendor, so you will want to get some assurances in writing regarding how they will use the de-identified information and that the vendor (or anyone with whom they share the data) will not attempt to re-identify the data. You can always ask your school attorney for a contract review of any technology contract that seems problematic; it’s always better to be safe on the front end than have to deal with the repercussions of a data breach.