POLICY LETTER: November 18, 2004 to Tennessee Department of Education Policy Analyst Matthew J. Pepper

November 18, 2004Mr. Matthew J. PepperPolicy AnalystTennessee Department of EducationAndrew Johnson Tower, 6th Floor710 James Robertson ParkwayNashville, Tennessee 37243Dear Mr. Pepper:This is in response to your November 5, 2004, inquiry in which you ask about the applicability of the Family Educational Rights and Privacy Act (FERPA) to the release of student level records to researchers. You state that the Tennessee Department of Education (TDE) routinely receives requests from researchers for student level data and you are attempting to develop a policy to allow the release of these records. You state that you plan to encrypt the records by changing a student's social security number to a unique student identifier. You state that the crosswalk between the social security number and unique student identifier will not be released to researchers. You also ask about the release of small data cells where an individual can be identified by the research. This Office administers FERPA and is responsible for investigating complaints and providing technical assistance to ensure compliance with the statute and regulations. 20 U.S.C. 1232g; 34 CFR Part 99.As you know, FERPA generally provides that an educational agency or institution may not have a policy or practice of releasing a student's education records, or personally identifiable information contained within those records, without the prior written consent of the student's parent or parents. 20 U.S.C. 1232g(b)(1). According to the Department's regulations implementing FERPA, personally identifiable information includes a personal identifier, such as the student's social security number or student number. See 34 CFR 99.3. Education records may be released without consent if all personally identifiable information has been removed.In addition to FERPA, Congress has also recognized that scientifically valid educational research, including applied research, basic research, and field-initiated research, can provide parents, educators, students, researchers, policymakers, and the general public with reliable information about educational practices that improve academic achievement. Such research can also provide important information about the effectiveness of Federal and other education programs. See sections 102(20) and 111(b) of the Education Sciences Reform Act of 2002. In particular, academic accountability is a central focus of the No Child Left Behind Act of 2001, and high-quality research is one of the ways to show whether the achievement gap is closing. A key component of such research is the use of longitudinal studies in which individual student performance is evaluated over a period of time.Page 2 Mr. Matthew J. PepperTo provide appropriate access to data for such studies, and consistent with the privacy protections of FERPA, the Department intends to promulgate regulations in the future defining this type of non-personally identifiable (anonymous) data, thus allowing disclosure, without parental consent, but with appropriate privacy safeguards. While the Department affirms FERPA's requirements, data that cannot be linked to a student by those reviewing and analyzing the data are not personally identifiable. As such, the data are not directly related to any students. Accordingly, a document containing only non-personally identifiable data, even when originally taken from a student's education record, is not a part of the student's education records for purposes of FERPA. Thusthe non-personal identifier itself is not a scrambled social security number or student number, unless such identifiers are protected by written agreements reflecting generally accepted confidentiality standards within the research community; and cannot be linked to an individual student by anyone who does not have access to the linking key;the anonymous data file is populated by data from education records in a manner that ensures that the identity of any student cannot be determined, including assurances of sufficient cell and subgroup sizes; andthe linking key that connects the non-personal identifier to student information is itself an education record subject to the privacy provisions of FERPA. In other words, the linking key must be kept within the agency or institution and must not be shared with the requesting entity.These requirements do not limit or otherwise modify the FERPA exception for non-consensual disclosure of personally identifiable information from education records to organizations conducting studies for or on behalf of educational agencies or institutions under 34 CFR 99.31(a)(6).Please note that if this Office receives a complaint containing specific allegations that the above requirements have not been met and the allegations give reasonable cause to believe that a violation of FERPA has occurred, this Office will initiate an investigation into the matter.Page 3 Mr. Matthew J. PepperAs a reminder, in reporting information, if cell size or other information would make a student's identity easily traceable, that information would be considered personally identifiable. See 34 CFR 99.3. The educational agency or institution should use generally accepted statistical principles and methods to ensure that the data are reported in a manner that fully prevents the identification of students. If that cannot be done, the data must not be reported.The Department remains strongly committed to enforcing the requirements of FERPA and ensuring that personally identifiable information is protected. Anonymous data procedures will ensure that the data are not traceable to individual students. In addition, the regulations we intend to issue will provide parameters and safeguards to protect the rights of students and parents. In short, the Department's regulations will ensure academic accountability in a framework that protects the identity and privacy of students.Please feel free to contact me if you have any questions about FERPA in general or this issue in particular. Sincerely,/s/LeRoy S. RookerDirectorFamily Policy Compliance Office