Lessons Learned from Developing Data Sharing Agreements Baron Rodriguez DaSy Center Sharon Walsh DaSy Center Jill Singer NC Part C Nicholas Ortiz CO Dept of Education September 21 2015 2 Agenda ID: 773337
Download Presentation The PPT/PDF document "Lessons Learned from Developing Data Sha..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Lessons Learned from Developing Data Sharing Agreements Baron Rodriguez, DaSy CenterSharon Walsh, DaSy CenterJill Singer, NC Part CNicholas Ortiz, CO Dept. of Education September 21, 2015
2Agenda ObjectivesMapping ProcessData Sharing Agreements – requirements and best practicesState experiencesResources
3Objectives Participants will have an improved understanding of:Requirements related to data sharing agreementsCommon challenges and pitfalls in developing data sharing agreementsEffective strategies and best practices for developing agreementsDaSy and PTAC resources on data sharing agreements
4Some Questions for You
5Before you start, map! Why? Understanding data flows/sources/elements helps determine which laws apply:Privacy ProtectionsSecurity RequirementsBreach Notification RequirementsConsent RequirementsGives you a better understanding of your data systems and assists you with internal & external communications
6High Level Mapping Steps
7Data Mapping: Key Steps Identify the key policy questionsIdentify data types/elements needed to answer those questionsDo you have multi-agency governance?Yes=Document the process; No=institute multi-agency governanceAgencies involved?What level of data is needed at the input AND output level?
8Data Mapping: Key Steps Review applicable state, federal, & local laws.Current/pending privacy bills? Impact?Compliance is the bar, not the ceiling.. You may want MORE stringent controls.Review current privacy policies in EACH agency involved with data integration.Alignment with applicable laws above?Do policies meet multi-agency governance needs of LINKED data?
9Mapping Process… Map data flow in a visual formatWhere information resides (agency/system), where it will go, and what the output (aggregate, PII, de-identified) of the combined data will be?Verify governance covers all data sets and actorsOwnership of input dataOwnership of LINKED dataAccountability Collection
10Mapping Process… Verify data sharing agreements needed and/or in place currentlyLook at visual data flows/agencies involved to determine which laws/FERPA exception applies.Workforce: Definition (state) of a public official?Audit/Evaluation Exception: Determination of “Education Program”Audit/Evaluation Exception: Designating an “Authorized Representative”Best practices for Data Sharing Agreements
11What Is a Data Sharing Agreement? Can be called many different names: MOU, MOA, Contract, Written Agreement, etc.The mandatory elements of the agreement vary slightly between the two exceptions The data sharing checklist delineates the minimum requirements under the Studies and the Audit or Evaluation exceptions
12 Approaches to Data Sharing AgreementsMaster data sharing agreement across all early childhood partners with addendums for each request based on the type of exceptionNo master data sharing agreement across all early childhood partners, only individual agreements for each request
13Why Are Data Sharing Agreements Needed?They are now required when sharing under either the Audit/Evaluation exception or Studies exceptionEven under the School Official exception, it is a best practice to have an agreement in place
14When Does FERPA Apply to EC Organizations?
15 Key Points to RememberProperly de-identified data can be shared without any FERPA considerations and should be your FIRST option as it limits the risk of unauthorized PII disclosureIn most cases, consent is the best approach for sharing PII with non-profit organizationsDirectory Information is often misunderstood. Opt-out provisions do not prevent data from being shared under the Audit/Evaluation or School Official exceptions
16Data Sharing = Disclosure Remember: There is no “data sharing” or “research” clause in FERPA; rather, sharing of student PII is considered “disclosure” under FERPA and is only allowable under specific circumstances.
17 FERPA’s Audit or Evaluation ExceptionA state or local educational authority may designate a third party as their “authorized representative” and then disclose PII from education records to them for the purposes of conducting an audit or evaluation of a federal or state-supported education program.
18FERPA’s Audit or Evaluation Exception - RequirementsDisclosing entity must be a state or local educational authorityMust be for the evaluation of a federal or state-supported education programMust use a written agreement to designate the recipient as the authorized representativeThe written agreement must include a number of required elements(see “Guidance on Reasonable Methods and Written Agreements”)
19FERPA’s Audit or Evaluation Exception - RequirementsThe recipient must:Comply with the terms of the written agreement;Use the PII only for the authorized purpose;Protect the PII from further disclosure or other uses; andDestroy the PII when no longer needed for the evaluation.
20 School Official ExceptionSchools or LEAs can use the School Official exception under FERPA to disclose education records to a third party only if the outside party:Performs a service/function for the school/district for which the educational organization would otherwise use its own employeesIs under the direct control of the organization with regard to the use/maintenance of the education records
21School Official Exception Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA Does not re-disclose or use education data for unauthorized purposes
22 Written Agreements: Studies Exception Written agreements mustSpecify the purpose, scope, and duration of the study and the information to be disclosed, and Require the organization to use PII only to meet the purpose(s) of the studylimit access to PII to those with legitimate interestsdestroy PII upon completion of the study and specify the time period in which the information must be destroyed
23 Studies ExceptionStudies conducted “for or on behalf of” schools, school districts, or postsecondary institutionsStudies must be for the purpose ofDeveloping, validating, or administering predictive tests; orAdministering student aid programs; orImproving instruction.§ 99.31
24 Note on the Studies Exception The "Audit/Evaluation” exception in 34 CFR §§99.31(a)(3) and 99.35 is the most appropriate exception under IDEA and FERPA for data sharing arrangements for the IDEA early childhood community. In the very limited instance in which IDEA Part C or IDEA Part B section 619 agencies or programs propose to consider using the “Studies” exception under FERPA, such agencies and programs will want to consult with the Department’s Office of Special Education Programs (OSEP) and Family Policy Compliance Office (FPCO) regarding how the proposed data sharing would meet the requirements in 34 CFR §§99.31(a)(6) and 303.414 (for IDEA Part C) and 34 CFR §§99.31(a)(6) and 300.622 (for IDEA Part B Section 619).
25Remember: Use the Appropriate FERPA Exception Schools/LEAs: IT contractors must meet criteria under the School Official exception discussed earlier.SEAs: Cannot use the School Official exception; therefore, must designate IT service providers as “authorized representatives” under the Audit/Evaluation exception.
26 Audit or EvaluationFederal, State, and local officials listed under § 99.31(a)(3), or their authorized representative, may have access to education records only –in connection with an audit or evaluation of Federal or State supported education programs, orfor the enforcement of or compliance with Federal legal requirements which relate to those programs.The information must be:protected in a manner that does not permit disclosure of PII to anyone; anddestroyed when no longer needed for the purposes listed above.
27 Any entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct — with respect to Federal- or State-supported education programs — any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs Who Is an Authorized Representative?
28 What Are Written Agreements?Mandatory for LEA or SEA disclosing PII without consent under audit/evaluationMandatory for school or LEA for disclosing to outside organization under the studies exception, or for SEA redisclosing for, or on behalf of, school or LEA
29 Reasonable Methods In disclosing to a designated authorized representative under audit/evaluation exception, LEA must ensure to the greatest extent practicable that an authorized representativeUses PII only to carry out an audit or evaluation of education programs, or for the enforcement of or compliance with, Federal legal requirements related to these programsProtects the PII from further disclosures or any unauthorized useDestroys the PII records when no longer needed for the audit, evaluation, or enforcement or compliance activity§ 99.35
30 As you begin . . .Understand the structure of your agencies, where the data currently resides and how the data flows (data mapping)Understand privacy considerations, particularly FERPAWhat exception(s) applies?Is there an MOU in place to share these data? Does it address necessary data elements?Aggregate and de-identified dataDecide on the approach for sharing dataMaster data sharing agreement with addendum No master data sharing agreement, only individual agreementDecide on which exception is needed based on agreement type
31 How to Make the DecisionLet’s look at the checklist
32Commonalities All agreements should have a specified purpose for the agreementAll agreements should have the identified data that will be sharedAll agreements should discuss destruction of dataAll agreements should discus the consequences of not following the agreementWhen using exceptions the agreement should always have information about how the data will be used (not applicable for a master data sharing agreement as this will be captured in the addendum)
33Differences There are more differences than commonalities as is the nature of these agreements:Master AgreementsStudies ExceptionAudit or Evaluation ExceptionFocuses on the linkage and storage of data across entitiesDiscusses where the data will reside and who owns itVery specific purposeSpecific purposeMuch more detail about the identification, use and destruction of PII
34 State Experiences: Lessons LearnedNorth CarolinaColorado
North Carolina,Jill Singer
NC Early Childhood Integrated Data System (NCIDS) A project and major goal of the NC RTT – Early Learning Challenge GrantA data system that:integrates early childhood education, health, and social service information from key participating state agencies and is focused on all children receiving state and federal services from NC participating agencies ages 0-5.
37
38Key Participating Agencies NC Department of Health and Human Services (DHHS) NC Division of Child Development and Early Education (DCDEE) NC Division of Public Health (DPH) NC Division of Social Services (DSS) NC Department of Public Instruction (DPI)Head Start Smart Start & The North Carolina Partnership for Children (NCPC)
39Agency Memorandum of Agreement NC ECIDS has an agency-level Memorandum of Agreement (MOA) which outlines the data sharing agreement between the key participating agencies (KPA)Each KPA has appendices to the MOA that outline the programs and specific data elements to be included in NC ECIDS.
40SUCCESSES CHALLENGESLESSONS LEARNED
41Strategic Planning Anticipate Time and Investment Engage StakeholdersContinuous Feedback
42Governance Council Research Panel External Stakeholders Panel
43Collaboration, Coordination, Communication Adapt any existing agreementsMake data sharing sustainable and equitableUtilize available resources (State Dept., PTAC, etc.)
Colorado,Nicholas Ortiz
45Types of Agreements (In My World) SEA agreements with researchersGuidance for local education agenciesAgreements with other state agencies Format: Overarching agreement with appendix for each use caseEarly Childhood Participation ProjectPart C/EIPart B/619Colorado Preschool Program Head Start/Early Head Start Results Matter (Early Childhood Assessment)
46Successes Challenges Use existing toolsChecklists Review BoardsSEA PoliciesState LawHelp parties understand: they can define terms of the agreement, too! Communication and Messaging Evolving Data Privacy Policies Data Sharing Myths
47Other Lessons Be humble. Be patient. Don’t underestimate how long it can take!Demonstrate valueCreate a clear process for data requestsConsider other agencies’ governance processesAvoid sharing children’s names wherever possible
48Successful data sharing agreements need: Adapted from “Data Sharing: Creating Agreements. In Support of Community-Academic Partnerships” (2012). Paige Backlund Jarquín, MPH, University of Colorado.
49
50Resources DaSy Center Privacy and Confidentiality athttp://dasycenter.org/other-resources/privacy-and-confidentiality/PTAC Early Childhood Data Privacyhttp://ptac.ed.gov/early-childhood-data-privacy
51DaSy Center Visit the DaSy website at:http://dasycenter.org/Like us on Facebook: https://www.facebook.com/dasycenterFollow us on Twitter:@DaSyCenter
52 The contents of this presentation were developed under a grant from the U.S. Department of Education, # H373Z120002. However, those contents do not necessarily represent the policy of the U.S. Department of Education, and you should not assume endorsement by the Federal Government. Project Officers, Meredith Miceli and Richelle Davis.