9/24/2012
This policy statement pertains to the data maintained by The University of Tennessee Center for
Business and Economic Research (CBER) in the Tennessee Longitudinal Data System (TLDS).
This system will be used for the purpose of providing information needed for data-driven decision making, to support policy research, to monitor operational processes, and to measure operational effectiveness. This system is based on consistent data standards, data accuracy, and data currency.
The TLDS contains data obtained from the Partner Agencies:
The Tennessee Department of Education (DOE)
The Tennessee Higher Education Commission (THEC)
The Tennessee Department of Labor and Workforce Development (TDLWD)
Data from additional sources may be added in the future. This Policy, which is referenced in the
Memorandum of Understanding among Tennessee Partner Agencies in the Tennessee
Longitudinal Data System, will pertain to those sources as well.
The TLDS will give a view of individual lifetime learning progression and workforce participation by:
Providing a longitudinal look at education performance from early childhood to K-12, through postsecondary, and into the workforce,
Giving visibility to the full set of supports and challenges that affect lifetime learning and working, and
Providing integrated data “dashboards” with current and useful data for state agency personnel and other approved users.
The TLDS is intended to provide increased capacity for the Partner Agencies to use computer software tools to integrate data, apply standards and measures, analyze results, determine outcomes, explore best practices, improve instructional procedures, and adjust workforce programs. In addition, to the extent appropriate, the system will be made accessible to school/institution administrators, teachers/faculty, state agency personnel, researchers and others.
This policy statement contains information about the responsibilities of the participating state agencies regarding the collection, reporting, analysis, and use of the data, and the procedures that will be used to ensure the confidentiality of individual person and employer records maintained in the TLDS.
The TLDS is managed by The University of Tennessee Center for Business and Economic
Research (CBER) in accordance with State laws and regulations and Federal laws particularly regarding student and workforce records. Among the Federal laws related to the confidentiality and release of student records are the Family Educational Rights and Privacy Act (FERPA, 34
CFR Part 99), the Individuals with Disabilities Education Act (IDEA, 34 CFR §§ 300.127 and
TLDS Data Access and Management Policy Page 1 of 10
9/24/2012
300.560-300.576), the Protection of Pupil Rights Amendment (PPRA), and the Richard B.
Russell National School Lunch Act (P.L. 108-265).
Tennessee has statutes and regulations that pertain to student, educator, employee, and employer records. Tennessee statutes that are most pertinent to the TLDS include but are not limited to:
TCA § 4-4-125. Dissemination of social security numbers.
TCA § 10-7-504. Confidential records, including teacher evaluations.
TCA § 47-18-2110. Protecting social security numbers from disclosure.
TCA § 49-1-606. Estimates of teacher effect are not public records.
TCA § 49-6-5105. Identification numbers – Limitations on use – Confidentiality.
TCA § 49-7-120. Confidentiality of research records and materials.
TCA § 49-7-216. Confidential data or records of students enrolled in TICUA institutions.
TCA § 50-7-701. Confidentiality of individual’s and employing unit’s data.
As part of the governance of the TLDS, changes and additions to Federal and Tennessee laws and regulations will be reviewed annually to determine if this policy continues to be in compliance.
All of these laws and policies are essential to maintaining the confidentiality of personally identifiable person or employer records as they are collected from the various state agencies and as they are maintained within the TLDS.
The following definitions are derived from relevant federal laws (e.g., FERPA) and other related documents.
Privacy refers to an individual’s right to freedom from intrusion due to disclosure of information without his or her consent.
Confidentiality refers to an agency’s obligation not to disclose or transmit information about individual persons and employers to unauthorized parties. Confidentiality consists of the measures used by an authorized agency to protect how personally identifiable information is collected and maintained and when consent by the individual or employer is required to release information.
Personally identifiable information includes, but is not limited to: the individual’s name; the name of the individual’s parent/guardian or other family member; the address of the individual; a personal identifier, such as the state student identifier; personal characteristics or other information that would make the individual’s identity easily traceable. A small set of this information is used for assigning an identifier and matching individuals from the elementary/secondary, postsecondary, and workforce data systems.
Disclosure means to permit access to, release, transfer, or otherwise communicate confidential information contained in education or workforce records to any party, by any means, including oral, written, or electronic means.
TLDS Data Access and Management Policy Page 2 of 10
9/24/2012
Access means to view, print, download, copy, or otherwise retrieve data from a computer, computer system, or computer network.
Confidential data means information that would tend, by itself or with other information, to identify particular person(s) or employer(s). Confidential data includes information which is intended for the use of a particular person/group and whose unauthorized disclosure could be prejudicial to the individual it identifies.
The TLDS contains data on Tennessee students and educators in P-12 public school districts, students in postsecondary institutions, and participants in the Tennessee workforce programs.
Among the data to be maintained are:
Organization/institution information – names of institutions and agencies, institution or school district type, and other general information about the organizations serving the individuals.
Student records – data about students’ background, coursework, participation in state and federal programs, demographics, assessments, participation in career and technical
(Perkins vocational) education, financial aid qualifications and awards, and degrees/credentials received.
Educator records – information about educators’ and administrators’ backgrounds, assignments, and licensure.
Employee information – employer, salary, unemployment benefits, workforce area, and participation in labor and workforce development programs.
Employer information – employer name, address and industry.
Each of the TLDS agencies uses a different unique identifier. A selected set of data about individuals will allow for the linking of data from the various systems and provide the capacity to assign a unique TLDS identifier for a person. The goal of the unique identifier is to ensure that: 1) only one person is ever assigned a particular number; 2) once a person is assigned a number, that number is always associated with that individual throughout his or her educational career and in the workforce; 3) a person is only assigned one number so that the person is not duplicated in the TLDS database, and 4) the ability to shield or mask personally identifiable information from the research data is provided.
Student level data in the TLDS are collected by state agencies from school districts and postsecondary institutions. Individual student records are collected by the applicable state agency in a prescribed format that is consistent across school districts, across postsecondary institutions, and across school years. Educator records are also collected in a prescribed format.
Other data in the TLDS are collected directly from the individual employee or employer by the state agency.
The data elements maintained in the TLDS reflect a consensus on what is needed for research and decision-making and are based on what is considered best practice. Complete descriptions of data elements are included in the TLDS Data Dictionary. Included are definitions, code sets, formatting information, periodicity, restrictions on sharing of data, and other reporting
TLDS Data Access and Management Policy Page 3 of 10
9/24/2012 requirements. The Data Dictionary is updated whenever changes are made, and participating agencies are informed of changes as soon as possible.
School districts, postsecondary institutions, employees, and employers are the originators of the data submitted. Data on the following types of agency programs will be included:
Public pre-kindergarten programs (all programs for children prior to kindergarten)
Kindergarten
Grades one through twelve
Programs for students with special needs
Career and technical programs
Public postsecondary institutions
Unemployment Insurance
Adult Education
Workforce Investment Act (WIA)
Trade Adjustment Act (TAA)
Job Services
The Partner Agencies retain ownership of all the data they provide to the TLDS. CBER staff functions as the custodian of the data located in the TLDS. In order to protect the data in its custody, the TLDS has established governance policies and procedures which are implemented by the TLDS system manager. These policies and procedures ensure that all data are securely maintained with safeguards on all confidential information in the system.
The TLDS contains clearly defined data elements based on the original collection of the data.
However, there may be distinctions or variations in how data are collected or defined by the various agencies. As part of the development of the TLDS, specific data elements are identified from each agency file to be used in the research database. Where duplicate data elements exist across the agencies, only one will be selected as the authoritative source for the research database. Each Partner Agency will be involved in reviewing duplications and determining the authoritative source for what is used in the TLDS.
Partner Agencies are required to indicate restrictions to access of any particular data elements included in the TLDS. These restrictions are based on federal and state restrictions. Partner
Agencies must indicate if access may be provided to
All or only some of the staff members of the Partner Agency that is the owner of the data,
Partner Agency staff members with research responsibilities in the other Partner
Agencies,
Agents of Partner Agencies with a legitimate need for the data,
Outside researchers with a legitimate request for the data, or
Anyone requesting access to data from the TLDS.
The following data will be provided subject to restrictions which are noted below: Teacher
Value-Added Assessment System (TVAAS), Free/Reduced Lunch indicator and Wage data. The
Partner Agency that owns each of these data elements will permit visibility and extraction of the data by state employees – the Partner Agency Researcher role. However, these Partner Agencies shall review the access request to ensure it is required by the requester to complete his or her job
TLDS Data Access and Management Policy Page 4 of 10
9/24/2012 and/or falls within what is authorized by federal/state regulations. The conditions under which access can be granted are:
Wage data: Require access to complete duties of the job
Free/Reduced Price Lunch Indicator: Released if required for the evaluation and improvement of education or health/nutrition programs
TVAAS: Other than for SEAs, LEAs/Schools and the State Board of Education, the requester must demonstrate that the data are required for the evaluation and improvement of teacher preparation programs
CBER is responsible for managing the TLDS with the assistance of Data Governance Groups which are described in the TLDS Data Governance Guidelines. CBER works with these groups to ensure the success of the TLDS. As part of the data discovery process, CBER (with the
Partner Agencies’ assistance) will identify for each data element what source should be used when multiple sources exist, what code set should be used, if any, and any other information to ensure that the data are correct and complete. When the duplication of elements spans agencies, each agency will be notified and participate in the resolution on how the elements should be used. CBER will protect the identity of individuals and employers by ensuring that identifiable data (Person/Employer Name, street address, SSN/Fed EIN) are not included in the reporting portions of the TLDS. In addition, CBER must oversee the development of documentation on the contents of the TLDS database, the sources of the data, the restrictions on the use of the data and the authoritative source for research and reporting purposes. This information is published in the Data Dictionary available to TLDS users online. To the extent possible, CBER will provide guidance and assistance to TLDS users. CBER is also responsible for guaranteeing the security and confidentiality of the data maintained within this system. (See ‘Protections’)
CBER is responsible for ensuring that the system information is made available to those with a need to have access, and for guarding against improper disclosure of the data. (See ‘Protections’ and ‘Restriction of Access’) CBER will create specialized datasets to satisfy data access requests only when approved by the Partner Agency Research Review Committee as part of the research application process. CBER researchers must meet the same requirements to have access to the data as researchers from outside the Partner Agencies.
As the owners of the data in the TLDS database, Partner Agencies are responsible for identifying the data sources for inclusion, as well as ensuring the quality, completeness, and timeliness of the data. Partner Agencies must provide guidance to their data submitters on how to record data at the point of origination and how to submit the data to the agency. Partner Agencies are responsible for ensuring that the data are submitted on time and in the correct format.
Partner Agencies are responsible for determining who within their agencies will have access to confidential data. As part of the Data Governance process, the Partner Agencies will work together to develop guidelines for determining who should have access to confidential data, which will be documented and implemented by each agency separately. Included in the documentation will be information about who within the agency may have access, how use will be monitored, and what procedures will be used to remove access rights when appropriate.
TLDS Data Access and Management Policy Page 5 of 10
9/24/2012
Additionally the Partner Agencies are responsible for managing the access rights for all members of their user communities. This responsibility includes granting access, assigning rights, and promptly terminating access for users leaving the agency. The TLDS will provide tools to aid the management of these users and their rights.
With the agreement of the Partner Agencies, additional agencies may become partners in the
TLDS. In order to obtain access to the Partner Agency data within the TLDS, these agencies must sign the Addendum to the Memorandum of Understanding that authorizes the transfer of data from the source system into the TLDS and the sharing of data with other Partner Agencies, agree to abide by this Data Access and Management Policy, and provide data from their systems.
CBER will work with these agencies to implement the procedures needed to securely obtain and document their data, and will establish the authorizations needed for Partner Agency staff to obtain access to the data. The Procedure for Adding a New Agency’s Data is provided in the
TLDS Data Governance Guidelines.
Physical System Security
The TLDS server is maintained in a secured server room to restrict physical access and ensure only authorized personnel are able to gain entry. In addition, firewall protection and intrusion detection efforts are in place for the system components. Security notices affecting the system software will monitored and patches applied to minimize risk of security breach. CBER staff will monitor the access logs for the database for activity in violation of this Data Access and
Management Policy document.
Access Security
CBER staff is responsible for maintaining procedures to provide authentication and authorization of users to the system. Authentication is the identification of a person as a legitimate system user. Authorization is the indication of the privileges the authorized person has to access particular data or applications. CBER staff will grant the persons in the Partner Agencies with administrator responsibility for doing real time changes to users’ access to the system and to applications. It is the Partner Agencies’ responsibility to manage the access rights for their users including prompt termination for users leaving the agency. Authorization for administrator access is approved by the TLDS Steering Committee representatives for the agencies which they represent. The Procedure for Approving and Authorizing Access to TLDS is provided in the
TLDS Data Governance Guidelines. This procedure includes guidelines for monitoring access by users, deleting user access when no longer needed, reactivation of dormant accounts, and recommendations for protecting login and password information.
Data Transport Security
Data are collected and imported into the TLDS from multiple sources with frequency ranging from only when requested to multiple times per week. The schedule for the extraction of data released will be timed to coordinate with the frequency of data updates to the agency systems.
All data transfers will be encrypted with a minimum of 128 bits. Source data files will be stored in a secured location with access limited to TLDS system administrators.
TLDS Data Access and Management Policy Page 6 of 10
9/24/2012
Statistical Security
It is the TLDS’s intent to avoid the possibility of inadvertently reporting confidential information about any individual. One use of the TLDS is to produce summary reports from individual data that relate to groups of students, staff and institutions, rather than to those related to single individuals. While it may seem that the use of anonymous aggregated data poses little threat to confidentiality, there are some cases where populations may include only a few individuals.
Statistical disclosure is the risk that arises when a population is so narrowly defined that tabulations are apt to produce a reported number small enough to permit the identification of a single individual. In such cases, the TLDS system will apply statistical cutoff procedures to ensure that confidentiality is maintained. The TLDS system will block any aggregate results with a statistical cutoff in which fewer than five persons might be disclosed. Other measures such as reporting percentages and ranges of data and avoiding the reporting of counts will be used as well to ensure statistical security.
Data access rights to confidential data are given to the individuals within each Partner Agency who are authorized to view or download data. Access may vary by element and depend on the aggregation level. A new unique identifier will be assigned to each individual whose data are entered into the TLDS. Information on the person’s or employer’s name, address, and
SSN/Federal EIN will not be available to users except for a very small number of individuals for whom the identifiable data are required in order to meet their job responsibilities.
Seven types of users of the TLDS are anticipated. Access for the last four types of users will be granted according to guidelines established by the TLDS Data Governance Program. o Public Consumer: Can view basic reports with aggregate statistics and access datasets containing information that qualifies as open records. o Data Contributor: Able to access reports, view and export aggregate data based on the population for which they provide data. Individuals employed by entities where data originates will be granted this role. o Partner Agency Consumer: Able to filter data and view reports based on criteria selected. Individuals employed by a state agency will be granted this role. o Partner Agency Researcher: Can perform advanced data queries, view and export individual records for further statistical analysis. Limited number of individuals employed by a state agency will be granted this role. o Agent of the Partner Agency Researcher: Can perform advanced data queries, view and export masked level data for further statistical analysis. Individuals employed by contracting services established as an agent will be granted this role. o External Researcher: Able to access a masked dataset with ability to perform advanced statistical analysis. Individuals completing research not commissioned by the state will be granted this role. o Partner Agency Administrator: Able to grant TLDS access to Partner Agency personnel and create reports. Limited number of individuals employed by a state agency will be granted this role.
TLDS Data Access and Management Policy Page 7 of 10
9/24/2012
In general, three levels of data visibility will be provided through the TLDS. o Individual Records: All individual level data with confidential data suppressed
(i.e. name and street address). This level is restricted to limited authorized staff o within the Partner Agencies with a demonstrated need for access to complete education program evaluations or to complete the duties of their jobs.
Masked Individual Records: Masked individual level data with suppression of records when grouping results in less than ten to protect identity. This level will be provided to authorized researchers outside of the Partner Agencies. This level may also be provided to staff within the Partner Agencies who do not need access to the full set of data.
o Aggregate Data: Aggregation of data at various levels (i.e. county, district and industry). This level contains data suitable for public use.
CBER staff will use appropriate measures to protect the confidentiality of individual person or employer records and account for all disclosures. This includes keeping a list of the data, the nature and purposes of the disclosure, and to whom the disclosure was made.
Access to confidential information carries with it the responsibility to protect the data as well as to comply with Federal and State laws and regulations. Access to confidential individual and employer data shall be granted only to Partner Agency personnel who are authorized by the
Partner Agency.
The entities to which individual level information may be released and the conditions of the release are listed for each entity below.
1) Partner Agency Researcher
–The Partner Agency staff member who has a jobrequired need to access cross-agency confidential information or a demonstrated justification for research on or evaluation of an education program must have a signed
State confidentiality or Non-disclosure Agreement on file. The Partner Agency administrator of the person requesting access to confidential information must ensure that the person needs access to this information in the performance of his or her assigned duties and responsibilities. The Partner Agency researcher may not access agency information for personal purposes (for example, research for a dissertation) without permission.
2) Agent of the Partner Agencies
– An agent of a Partner Agency is an entity that contracts with the agency and has written authorization to analyze confidential data or to provide some other service involving confidential data. Data collection and analysis for the purpose of fulfilling the objectives of such a contract cannot be released to any third party, including Contractor's employees, for any purposes (including independent research) other than those directly related to such a contract, without written permission of the official from the Partner Agency. When an agent contracts with another entity to provide a service involving confidential data, these entities are considered agents for data purposes. A Partner Agency responsible for contracting with an entity to analyze confidential data or to provide some other service involving confidential data must ensure that the terms of the contract comply with the same conditions applicable to the Partner
TLDS Data Access and Management Policy Page 8 of 10
9/24/2012
Agency and that a Non-disclosure Agreement has been signed by the relevant organizational staff. A copy of the Non-disclosure Agreement will be kept on file with
CBER staff. The Partner Agency staff person responsible for releasing the data must ensure that the Non-disclosure Agreement has been signed prior to the data being released. In addition, the Partner Agency staff person must inform and obtain approval from other Partner Agencies prior to the release of another Partner Agency’s data to the agent organization. Should approval be given by all contributing Partner Agencies for the exportation of confidential data when further matching by the agent results in identifiable records, the Partner Agency Researcher role could be used to grant access to the agent.
3) Partner Agency Consumer – There are Partner Agency staff members that will not need to have access to confidential data, but rather will be able to filter data and view reports based on criteria selected.
4) Partner Agency Administrator – Each Partner Agency must have on file with CBER its policy and procedure for reviewing and granting access to the TLDS. Partner Agency administrators are employees of the State of Tennessee and specifically of the Partner
Agency that provides authorization for access. They will be responsible for granting access to Partner Agency personnel and have the ability to create reports. The Partner
Agency administrator will ensure that the appropriate safeguards are instituted to protect the confidentiality of the data and that the staff person has received appropriate training about confidentiality. They will also ensure that any reports created have the appropriate statistical suppression necessary based on the intended audience.
Researchers who are not agents of the Partner Agencies or who are not employed or contracted by the agencies may be authorized to conduct data processing or research and evaluation studies through contractual arrangements. Researchers must submit a written request for permission to have access to confidential data that explains the purpose of the research study, the agency or organization for which the study is being conducted, intent to publish, potential need for repeatability of results, and how the researchers will ensure data confidentiality and security.
This request will be considered on a case-by-case basis by members of a TLDS Research Review
Committee made up of Partner Agency representatives to determine if the request is in accordance with Federal and State laws and regulations. Partner Agency legal staff will be consulted.
Confidential data will not be released unless the data are requested by an individual or organization that (a) has developed a Research Proposal which has been approved by the TLDS
Research Review Committee and (b) has signed a Non-disclosure Agreement. The purpose of the research must meet the requirements of approved federal and state laws and regulations. Once approval has been given to the researcher, the data will be made available to the individual or organization. Once the research is completed, the individual organization will no longer have access to the data in the TLDS. CBER staff may request a copy of any analysis or reports created with data from the TLDS. Data access provisions may change if mandated by federal statute, state law, or administrative rules.
TLDS Data Access and Management Policy Page 9 of 10
9/24/2012
All other entities will be denied access to confidential education information, except for authorized representatives of the Comptroller General of the United States, the Secretary of the
U.S. Department of Education, or state and local educational authorities, which will be provided access to the data provided the disclosure is in the course of an audit, evaluation, compliance, or enforcement proceeding as defined in FERPA 34 C.F.R. §§ 99.31(a)(3), 99.35. The information will be masked to shield personal identification of students by others and the information will be destroyed when no longer needed. Restrictions on the redisclosure of confidential unemployment compensation information and safeguards required of recipients are defined in 20
C.F.R. §603.9 (b) and (d).
Data which have been de-identified or aggregated will be made available to other entities upon review of their requests for access.
Upon the request of any individual (or the individual’s parent/guardian if the individual is under the age of eighteen) to gain access to his/her (child’s) record contained in TLDS, the CBER staff will refer the individuals to the Partner Agency which supplied the data.
Intentional violations of this policy by a Partner Agency employee may result in formal disciplinary action, up to and including termination, denial of access to sensitive data, and revocation of TLDS access privileges.
Violation of this policy by agents of the TLDS, other entities, or researchers inappropriately releasing data from a person or employer record, whether through negligence or intent, will be subject to potentially permanent loss of access to TLDS records. CBER may utilize all legal remedies to recover any financial loss to the State which occurs due to negligent or intentional acts which constitute a violation of this policy. Any agents, other entities, or researchers who violate this policy, whether through negligence or intent, shall pay for the defense of all claims asserted against the State as a result of such violation.
CBER staff is also responsible for determining if confidential information has been improperly disclosed by a Tennessee official or a third party allowed use of the data in violation of this policy. If the disclosure is made by a Tennessee employee or official in violation of Federal or
Tennessee law, then the official or employee may be subject to disciplinary action, and, if the employee or official holds a Tennessee teaching or administrative certificate, could also be subject to discipline under Tennessee Law (if any).
If an improper disclosure is made by someone other than a Tennessee official, then the parties will not have access to any TLDS student data for five years as required by FERPA. In addition, all violations will be reported to the appropriate federal and state enforcement agencies.
TLDS Data Access and Management Policy Page 10 of 10