Confidentiality and Data Security

All of the information provided as part of NCES sample studies may be used only for statistical purposes and may not be disclosed, or used, in identifiable form for any other purpose except as required by law (20 U.S.C. §9573 and 6 U.S.C. §151). Any student data released to the general public (for example, in statistical tables) are formatted so that it is not possible to identify specific individuals.

Specific measures have been taken to protect data submitted through this website:

  • Data are collected over a secure server and connection, protected by Secure Sockets Layer technology (SSL; 128-bit encryption). A unique study identification variable (not the Social Security number or institution student ID) are created and maintained for each sampled student to protect against inadvertent disclosure of confidential data.
  • All electronic data are secured in protected data files, and personally identifiable information (PII) is stored in files separate from the descriptive information. The data are stored securely on an Enhanced Security Network, which is certified and accredited as a NIST moderate security level network. NCES and RTI employ strict procedures for the transfer of PII; maintenance, storage, and use of direct identifiers; replacement of direct identifiers with internal codes; security of master survey files; and reporting of data security breaches in accord with the U.S. Department of Education Incident Handling Procedures. For more information on NIST security level, please see FIPS Publication 199 at https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.
  • All NCES staff and contractors are subject to severe fines and possible imprisonment for disclosing individual responses.
  • All RTI project staff members have signed Confidentiality Agreements and Affidavits of Nondisclosure and are prohibited by law from using the obtained information for any purposes other than this research study.
  • Data security procedures are reviewed and approved by NCES data security staff.
Confidentiality and data security protection procedures have been put in place for the studies accessible through this website to ensure that the contractor and its subcontractors comply with all privacy requirements, including:

  1. The statement of work of each contract;
  2. Family Educational Rights and Privacy Act (FERPA) of 1974 (20 U.S.C. §1232(g));
  3. Privacy Act of 1974 (5 U.S.C. §552a);
  4. Privacy Act Regulations (34 CFR Part 5b);
  5. Computer Security Act of 1987;
  6. U.S.A. Patriot Act of 2001 (P.L. 107-56);
  7. Education Sciences Reform Act of 2002 (ESRA 2002, 20 U.S.C. §9573);
  8. Cybersecurity Enhancement Act of 2015 (6 U.S.C. §151);
  9. Foundations of Evidence-Based Policymaking Act of 2018, Title III, Part B, Confidential Information Protection;
  10. The U.S. Department of Education General Handbook for Information Technology Security General Support Systems and Major Applications Inventory Procedures (March 2005);
  11. The U.S. Department of Education Incident Handling Procedures (February 2009);
  12. The U.S. Department of Education, ACS Directive OM: 5-101, Contractor Employee Personnel Security Screenings;
  13. NCES Statistical Standards; and
  14. All new legislation that impacts the data collected through the contract for this study.
The data collection contractor complies with the U.S. Department of Education’s IT security policy requirements as set forth in the Handbook for Information Assurance Security Policy and related procedures and guidance, as well as IT security requirements in the Federal Information Security Management Act (FISMA), Federal Information Processing Standards (FIPS) publications, Office of Management and Budget (OMB) Circulars, and the National Institute of Standards and Technology (NIST) standards and guidance. All data products and publications will also adhere to the NCES Statistical Standards, as described at the website: https://nces.ed.gov/statprog/2012/.