Data Security

Data Security Guidelines 

Data within the Texas ERC data warehouse contains personal information about individuals. This information is protected by the Federal law known as the Family Educational Rights and Privacy Act of 1974 (see FERPA). To protect the confidentiality of this information, the following guidelines are in place and required of everyone who accesses the Texas ERC data warehouse:

  • FERPA training is required of all persons accessing confidential Texas ERC data. The University of Texas at Austin has resources and options available for training, both for people directly associated with the University as well as those outside the University community. Researchers must provide proof of the completion of FERPA training before they can be granted access to the Texas ERC.
  • A Confidentiality Agreement Confidentiality Agreement must be signed and renewed annually for a researcher to gain access to the Texas ERC data warehouse. Your signature on the Confidentiality Agreement acknowledges that you have read and understand the terms of the agreement. It also acknowledges that you have received a copy of the Policies and Procedures for Texas Education Research Centers between the University of Texas at Austin and the Texas Higher Education Coordinating Board, as well as the Terms and Conditions for Using Confidential Data, and that you have read and understand the terms contained within both documents. Your signature also confirms that you agree to comply with the terms of all these documents. Please direct any questions concerning data security to the Director or Associate Director of the Texas ERC.
  • Texas ERC data may be used only for research projects that have been specifically approved by the Joint Advisory Board (JAB) and for investigative and analysis tasks upon direction by one or both JAB commissioners.
  • Permission to use Texas ERC data is granted for a fixed amount of time and may be renewed as needed at the discretion of the Director of the Texas ERC and the JAB. Permission may be revoked at any time. Immediate termination of access will result in cases where there is significant risk of unauthorized disclosure of confidential information or violation of security guidelines.
  • Research results must be reported in a manner that does not enable audiences to learn about individual persons in the data. For example, groups for which statistical summaries are presented must include at least five persons.
  • All research products (reports, summaries, presentations, proposals, etc.) that reference, contain, or are based on Texas ERC data must be FERPA-compliant. All such products must be submitted for review and approval for release (see Review and Release Process).

If you have any doubts or questions regarding Texas ERC data security procedures, please consult with the Director. The center appreciates notification of any problems or potential problems as early as possible.

Data Access Requirements 

Researchers log into the Texas ERC through a University of Texas Electronic Identity (UT EID), which provides individuals with a user account and password that meets the statutory strength requirements for public agencies in Texas. Researchers who are employees or students of The University of Texas at Austin are expected to use their current UT EIDs. Researchers from other campuses may apply for a guest UT EID (see UT EID application page). Entry into the Texas ERC must always be gained through a researcher's own account. Under no circumstance may a researcher log into the Texas ERC under another researcher's account or allow another researcher to log in through their account.

Access to the Texas ERC data warehouse is accomplished through the use of approved client workstations installed in secure locations at The University of Texas at Austin and consortium university campuses. These workstations and secure locations are subject to the following restrictions and controls:

  • Only approved client workstations may be used to connect to the network and servers of the Texas ERC secure system environment.
  • All client workstations must be protected from the public internet and from large institutional networks by a secure firewall. Each installation location must ensure sufficient controls are in place so that connections to the data warehouse are possible only from client workstations physically located at the approved access locations.
  • Physical access to the client workstations is restricted to authorized personnel. For example, workstations should be located in offices with locking doors with tightly controlled key distribution. Sign-in/Sign-out logs to record physical access events must be maintained by support staff at each client workstation installation location.
  • The door to a location that houses a client workstation must remain closed while a researcher accesses the Texas ERC.
  • No thumb drives, jump drives, removable storage devices, or any like devices are permitted at the client workstation installation locations.
  • Client workstations are supplied to installation locations by the Texas ERC. The workstations run a currently supported operating system version and are protected by virus-scanning software that is updated regularly.
  • Network communication between the client workstations and the Texas ERC secure system environment takes place via TCP/IP over SSL connections.
  • The firewall for the Texas ERC secure system environment allows incoming connections only from the specific static IP addresses of the client workstations at each installation location.
  • Logs are kept of all access to the Texas ERC secure system environment. These logs are archived for the life of the Texas ERC.

FERPA 

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. To the extent that the Texas ERC brings together records of information on an individual student basis, the relevance of FERPA is obvious. As such, identifying pieces of information, e.g. student names and ID numbers, are re-mapped or removed so as to "de-identify" students within the Texas ERC data warehouse.

To further ensure compliance with FERPA requirements, researchers are required to take care that data is not grouped or summarized in such a way that would allow identification of individual students. The contractual obligations that ensure this compliance are included in the confidentiality agreement that every researcher signs before gaining access to the Texas ERC data warehouse (see Confidentiality Agreement). The general guideline is that any data cell with a composite size of less than five must be suppressed in any data released from the Texas ERC. Before any data can be released from the research center, it must be reviewed and approved for release.

Learn More about FERPA

For additional information or technical assistance, please call (202) 260-3887. For TDD assistance, please call the Federal Information Relay Service at (800) 877-8339.

FERPA Training

ERC policy mandates that FERPA Training be completed every two years. For UT students, a screen shot showing that your FERPA Training has been completed can be submitted as proof:

You will be prompted to log into the UT Direct system. The module you are interested in is CW504 FERPA.

For professional researchers (non-UT students), another option for FERPA training which will not require a UT high assurance id:

Once the training is completed, providing a PDF of the certificate with name and date completed will be valid proof for two years.

Related Links