Protect the privacy of individuals who provide data while ensuring appropriate ownership and access to information.
Data privacy policies protect the right of individuals to maintain control over their data. They include a combination of federal, state, and local laws—including the Family Educational Rights and Privacy Act (FERPA)—and institutional policies. Most policies focus on protecting personal information—or information that is important to an individual (even if it does not personally identify them)—and regulating data access and use, thereby limiting emotional, financial, and even physical harm that can result from data privacy breaches. Although privacy considerations are critical, it is also important to understand and honor data ownership. Data users must acknowledge that data providers are data owners that consent to the use of their data.
Data privacy policies have evolved in recent years to better reflect that data systems do not “own” data more than the people whose lives are represented in them. In 2018, the European Union passed the General Data Protection Regulation, which gives European residents the right to know, access, update, erase, and restrict the types of data collected on them. Since 2020, the California Consumer Privacy Act (CCPA) requires businesses (including for-profit education service providers and for-profit universities) to obtain parent or guardian consent before collecting data from California’s children and to delete data upon request, among other things (CCPA has inspired similar laws in other states). A common feature of these laws is that they grant individuals the ability to update, delete, or opt out of all or specific applications of their data at any point during or after collection. Even if not mandated by law, E-W data systems should have a clear process for accepting these requests and clear guidelines around honoring them.
Data users should consult community members to determine data access guidelines and practices, weighing the risks and benefits of both restricting and opening access to data. Data access refers to who can securely obtain, view, or use data, and for what purposes. There are legal, practical, and equity considerations for determining data access, which can range across contexts. For example, sharing administrative data with E-W system partners or researchers can increase the risk of a data breach, yet not sharing data can make it more difficult to understand and address a problem of practice, at least without duplicating data collection efforts that burden communities. At a minimum, communities should have access to their own data (abiding with any privacy or confidentiality rules). But access is different from ownership. To shift power dynamics and honor communities’ own goals and visions, communities should have the right to govern the collection, ownership, and use of their data. This is a key principle of Indigenous data sovereignty, for example.xxxii
E-W data systems should establish a participatory governance structure that includes representation from the affected communities to determine which data are open, restricted, or unavailable and—as with requests from individuals about their own data—develop a clear process for accepting and approving requests from potential data users. After a project ends, data users should consider secure methods by which they can return data (for example, in aggregate form) to the communities, the data owners, to allow continued or future use of their data for other purposes.
xxxii See this 2018 resolution from the National Congress of American Indians: “Support for U.S. Indigenous Data Sovereignty and Inclusion of Tribes in the Development of Tribal Data Governance Principles.”
The real risks of data breaches
The Government Accountability Office (GAO) discovered 99 data breaches in 281 school districts from July 2016 to May 2020. The breaches affected thousands of students and parents, exposing
sensitive data such as special education records, test scores, phone numbers, and Social Security numbers. School staff, students, cybercriminals, and vendors were all responsible for various data
breaches, which were both intentional and accidental. Citing the risks to students’ physical, emotional, and financial well being, the GAO recommended that schools review and follow data privacy laws, provide data security trainings, require vendors to configure data systems adhering to the Federal Trade Commission’s “Start with Security Guide,” or take an annual Nationwide Cyber security Review self assessment.
Applying this Principle
Review federal, state, local, or Tribal data privacy laws and policies that apply. Determine whether you need memoranda of understanding, data-sharing agreements, or consent to collect or share data.
Develop a list of data elements to collect and any linked data sets, as well as how you will store data, who will have access to data, how you will use data and for how long, and what you will do with the data after analysis is complete. Establish a governance body with representation from multiple contributing groups, including proximate leaders from affected communities. Convene this body to develop clear processes and guidelines for accepting and approving requests from individuals who provided their data and potential data users.
Communicate data privacy and security processes when collecting data. Seek informed consent even if not required. Only collect data that are necessary and have been approved.
Store data in a secure location that is only accessible to authorized users. Ensure storage systems have the proper protections (such as locks, encryption, and passwords). If you share data, ensure they are transmitted through secure methods. Train those with access to data on relevant laws and best practices. Practice data minimization; only give users access to the minimally necessary data elements and data sets. Ensure individuals who provide data can access, update, and delete their data upon request. Upon project completion, discard or return data as directed or previously established by individuals who provided the data.
Maintain confidentiality of participants in reporting. Do not name individuals without permission, share a combination of data points that could lead to an individual being identified, or report data on very small sample sizes that could risk identification. Delete data when no longer in use for the intended purposes.
- Beyond federal data privacy laws such as FERPA, which state, local, or Tribal data privacy laws or policies apply to you?
- What procedures have you established to enable individuals to access, update, or delete their data, if requested?
- If many people opt out of data collection, why have they done so? How can you use their feedback to inform and redesign data collection efforts to minimize conflict and harm?
- What will you do with the data after analysis and reporting? Can you share the data back with communities? How can the individuals who provided their data inform your decision?
Be On The Lookout
Data sharing between organizations can give users access to additional data elements needed to assess and address disparities and reduce the data collection burden on individuals; however, it comes with its own risks. Any time data are shared, users must follow data governance policies by establishing a memorandum of understanding or data-sharing agreement and reviewing any consent documentation to ensure data sharing is permissible. Both parties must transmit the data securely and clearly track the data lineage—where the data came from and where they’re going. Never share data with third parties (whether businesses, researchers, law enforcement, or other government agencies) or use for other purposes without permission.
- Roadmap to Safeguarding Student Data. This Data Quality Campaign implementation road map for state education agencies overviews relevant data privacy laws and best practices for transparency, governance, and data protection procedures.
- A Path to Social Licence: Guidelines for Trusted Data Use. Data Futures Partnership offers eight guidelines for data use related to data value, protection, and choice. Although some of the guidelines are specific to New Zealand and its Tribal communities, many are universally applicable.
- A Toolkit for Centering Racial Equity Through Data Integration. The chapters on “Racial Equity in Data Collection” and “Racial Equity in Data Access” by Actionable Intelligence for Social Policy address positive and problematic policies related to data privacy, as well as cite brief case studies.
- Indigenous Data Governance: Strategies from United States Native Nations. This journal article by Russo Carroll et al. explains the concepts of Indigenous data sovereignty and governance, and describes the value and challenges of shifting authority over Indigenous data to Indigenous peoples. The article includes Tribal case studies and discusses relevant federal laws and Tribal organizations.
- Envisioning a New Future: Building Trust for Data Use. This resource, developed by the Urban Institute for the Data Funders Collaborative, describes approaches to building trust for collection and use of data, such as ways to expand and control data access and improve systems for consent and transparency. It includes a list of additional resources for data use and integration.
The framework's recommendations are based on syntheses of existing research. Please see the framework report for a list of works cited.