State agencies for Part C and Part B 619 regularly receive requests for data from internal and external parties. While protection of personally identifiable information (PII) is paramount, appropriately sharing data can lead to innovations in research, policies, and practices – innovations that benefit children, families, and practitioners/teachers. Data requested may be for a summary about a subpopulation of children, such as trends in the number of children with autism over the last 15 years, or the number of referrals received from neonatal intensive care units. An external researcher or a member of another state agency might request trend data for development of grant applications, or a state legislator may request data about the entire program population of children. Part C and Part B 619 programs must balance being responsive to data requests with ensuring data confidentiality and privacy to prevent violation of state and federal requirements. Therefore, a data request policy is a necessary part of comprehensive Part C and Part B 619 data governance.
Part C and Part B 619 programs should develop a data request policy to establish what data are available, to whom, in what formats, for what purposes, and how data requests are to be handled. In many cases, Part C or Part B 619 staff members can help the requestor better understand the strengths and limitations of the data and increase the likelihood that agency efforts are spent on fulfilling viable requests.
IDEA guarantees parents the right to inspect and review any education record the school system or any other participating agency collects, maintains, or uses. Additionally, parents may provide consent to service providers (e.g., pediatrician) to request their child’s record to support planning and provision of services.
Part C and Part B 619 programs are required to provide this information and the request does not need to be reviewed formally to determine whether it is appropriate before approval. Therefore, this section concerns exclusively other parties requesting data not covered under record requests.
A data request policy should outline the requirements for the release and use of requested data that are consistent with federal and state requirements. Part C and Part B 619 programs need to understand relevant federal and state agency regulations whether they are considering developing a new data request policy or are reviewing an existing policy.
A number of regulations apply when a data request involves releasing PII. Per federal Part C IDEA regulations, parents of referred children have the right to confidentiality of PII, including receiving written notice of, and providing consent to, the exchange of PII among agencies [34 CFR 303.401(a)]. Further, IDEA regulations for Part C [34 CFR 303.414(a) and (b) ] and Part B [34 CFR 300.622(a) and (b)] address the circumstances in which parental consent must be obtained and when information disclosure is authorized without consent by FERPA [34 CFR 99. 31]. Finally, the Uninterrupted Scholars Act (USA) amended FERPA in January 2013 to permit education agencies to disclose PII from the education records of children in foster care placement, without parental consent, to an agency caseworker or other representative of a state or local child welfare agency or tribal organization authorized to access a child’s case plan when the agency is legally responsible for the care and protection of the child (20 U.S.C. § 1232g(b)(1)(L)). FERPA has additional exceptions to the release of PII without parental consent including the audit and evaluation exception that requires a data sharing agreement. These regulations at 34 CFR 99.31 describe permissive exceptions and apply to Part B and Part C as well as to FERPA.
Part C and Part B 619 programs operate within the state agency in which they are housed. Thus, the structure and content of any data governance already within an agency is of particular importance. Before developing a data request policy, Part C and Part B 619 programs should review any policies regarding data requests developed by the agency in which their program resides. Existing policies might need to be updated with specific references or provisions related to Part C or Part B 619, in which case the considerations and the template below may be helpful in proposing language for this purpose.
Where no policy on data requests exists or a separate policy related to Part C or Part B 619 is needed, the template following the Considerations section is fully editable and prepopulated with language to expedite writing new data security and access policies.
Considerations for a Data Request Policy
Use the questions below to discuss the components of a comprehensive data request policy. Where appropriate, procedures and operational guidance that detail specific actions for implementing this policy should be created.
1. Data Request Policy: General Provisions
- Which federal laws/regulations (IDEA/FERPA) related to data requests apply to your Part C or Part B 619 program?
- Are there additional state agency policies related to data requests that apply to the Part C or Part B 619 program? If yes, what are they?
- What specific Part C or Part B 619 data request policies or procedures, if any, exist and apply?
- Which role, within what agency/program should be contacted with questions about this policy?
- Which role, within what agency/program is responsible for ensuring adherence to this policy?
- Which role, within what agency/program is responsible for monitoring adherence to this policy, and how will the monitoring be conducted?
- Which role, within what agency/program is responsible for managing the implementation of this policy including provision of training and technical assistance?
- How is this policy shared with all participating agencies and how is the implementation of this policy monitored?
- What role do stakeholders play in the development/review of this policy?
- What consequences, if any, will apply when this policy is not followed?
- How often will this policy be reviewed for necessary revisions?
- How will the public be informed about this policy? Where will it be posted on the state’s website?
2. Data Request Policy: Legal Considerations and Response Parameters
- Under what circumstances can data be released and for what purposes?
- What data and/or subsets of data are available for answering data requests and for what purposes? What level of aggregation (e.g., sample size) can be reported and for what purposes? (See Public Reporting section for additional information)
- What data are classified as personally identifiable data (PII) or protected data? Are PII available for release, and if so, under what circumstances? Who (what role) can authorize release of PII data in response to a request?
- How shall research data requests be handled?
- What constitutes research?
- What data may be requested for research?
- What level of authority (e.g., institutional review board) must be in place to oversee the research?
- What requirements, if any, will the state agency put in place for the researcher to report on, publish, and share data or findings back with the agency?
- Under what circumstances will a Part C or Part B 619 program notify parents when their data are shared?
- What provisions are in place to ensure that the data request is reasonable and consistent with the types of research questions being asked by the requestor (data minimization)?
- Under what circumstances are agreements (e.g., memorandums of understanding/MOUs, data sharing/use agreements) needed to respond to data requests?
- What mechanisms does the data governance structure have in place to ensure compliance with the requirements of the data request policy?
3. Data Request Policy: Required Information
- Who (e.g., Part C or Part B 619 program staff, researchers, an agent of a participating agency, service providers) are eligible to potentially receive data, and under what conditions?
- What information is required to respond to a request for data (e.g., requestor contact information, purpose of request, years of data requested, field [elements] requested, requested format [e.g., .xls, .pdf, .csv], proposed analysis)?
- What requirements will be made of participating agencies to ensure continued protection of shared data?
4. Data Request Policy: Process
- What is the method (e.g., written request, online form) for requesting data?
- What forms, if any, will be required for completing a request?
- How will a request be prioritized (including denied, modified, or accepted) given agency capacity and the perceived effort to provide necessary data to answer the request?
- Which role, within what agency/program has the authority to approve/deny the data requests?
- What is the process for approving, denying, mediating, or suggesting modifications (e.g., request could be addressed with de-identified data) to data requests?
- What is the timeframe for evaluating and responding to data requests?
- What system is in place to track requests from start to finish?
- Which role, within what agency/program will oversee the data request process?
- How are request determinations (approving, denying, mediating, or suggesting modifications) to be communicated to requestors?
- Which role, within what agency/program is responsible for fulfilling the request (preparing and validating the data)?
- Are fees associated with data requests? If so, under what circumstances and what is the fee structure?
- How are data requests tracked and processes documented to inform a systemic approach to similar future data requests (e.g., web postings of frequently requested reports)? What is the tracking and documenting process?
- What specific guidance is in place about safeguarding data for those who receive requested data and/or data reports?
- Which role, within what agency/program is assigned as a point of contact about this policy?
5. Data Request Policy: Access to/Use of Data/Recognition
- What is the expectation for reviewing and approving requested data/reports prepared by requestors prior to release?
- What length of time will data be made available for specific purposes? (For example, will archived data be used to respond to a data request? If yes, under what data request circumstances?)
- In what secure format are data made available (e.g., encrypted MS Excel files, secure FTP downloads)?
- What mechanisms will be used to ensure that data are properly destroyed once they have been used for the agreed upon/intended purpose?
- What is the expected publication reference for provided data (e.g., acknowledgement of state agency, grant number, funding source for data, etc.)?
Note: See Data Security and Access section of the Toolkit for additional information related to data security and data transfer.
When analyzing the privacy and confidentiality requirements for children with disabilities, it is critical to begin by examining the IDEA requirements first. If you or members of your staff have questions, please contact your State Lead in OSERS Office of Special Education Program’s (OSEP) Monitoring and State Improvement Planning Division.
- FERPA Exceptions Summary is a 2014 publication from the U.S. Department of Education’s Privacy Technical Assistance Center intended to be a handy visual aid to help identify at a glance what FERPA exception applies to the data sharing work you are trying to do.
- Understanding the Confidentiality Requirements Applicable to IDEA Early Childhood Programs Frequently Asked Questions provides responses to frequently asked questions to facilitate and enhance states’ implementation of IDEA privacy and confidentiality provisions and can be used in conjunction with the 2014 side-by-side guide of the IDEA and Family Educational Rights and Privacy Act (FERPA) Confidentiality Provisions.
- A Little Privacy Please? Safeguarding the Privacy of Young Children with Disabilities under IDEA and FERPA was a December 2016 webinar in which privacy and legal experts from the U.S. Department of Education discussing answers to frequently asked questions related to privacy and confidentiality for IDEA early childhood programs.
Data Request Policy Template
Use, and modify as needed, the template linked below for developing a data request policy. Select the highlighted text and replace with your state/program information. We recommend that you consult with relevant staff and stakeholders when developing these policies. Upon completing the template, be sure to follow your state’s processes for finalizing and enacting policy.
Download Template for Data Request Policy