U.S. Department of Education
A Service of the Student Privacy Policy Office's
Privacy Technical Assistance Center
Student privacy has a full range of terms, many acronyms, and a nomenclature all its own. This glossary page has been designed to aid stakeholders in breaking down and understanding the terms most commonly used in the Student Privacy sphere, as well as provide clear and concise definitions for commonly used terms relating to student privacy. New entries will be added as necessary to maintain and expand this knowledge base.
Access controls limit entry to information system resources to authorized users, programs, processes, or other systems. Components of an access control system include, for example, physical access (e.g., locks on doors to a server room), authentication systems that verify the identity of a user or client machine attempting to log into a system, and file encryption that makes data unreadable to anyone who does not possess the cipher key or encryption algorithm.
Additional information is available in the PTAC publication Data Security and Management Training: Best Practice Considerations
Anonymized data are data that have been de-identified and do not include a re-identification code. In an anonymized data file, the student case numbers in the data records cannot be linked back to the original student record system.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Assurance level is a level of confidence in the process used to validate and establish the identity of a person attempting to access an information system. For more guidance on authentication assurance levels, see E-authentication Guidance for Federal Agencies (OMB M04-04) and NIST SP 800-63-1.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
FERPA regulations define attendance to include, but not be limited to: (a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and (b) The period during which a person is working under a work-study program. See also Dates of Attendance.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Attribute disclosure occurs when data in a student level file or aggregate data in tabulations reveal sensitive information about a student.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records .
Authentication (single and multifactor) is a mechanism that an electronic system uses to identify and validate the identity of users with the required degree of confidence that the user is who he or she purports to be. Authentication is accomplished through the use of one or more “factors,” which correspond to things that the user knows (like a password), something that they possess (like a security token), or something they are (like a fingerprint). Authentication should not be confused with authorization, which is the process of granting individuals access to system resources based on their identity. More guidance is available on identity credentials from the National Institute for Standards of Technology publication NIST SP 800-103.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
An authenticator is a “secret that creates the binding between credentials and its presenter,” as described in the National Standards of Technology publication NIST SP 800-103. Authenticators can take the form of information, such as passwords or PINs; hardware, such as key fobs or smart cards; or some digital form, such as digital signatures and certificates.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
See also Unauthorized Disclosure, Disclosure, and Identity Disclosure.
Authorized representative is defined any entity or individual designated by a State or local educational authority or an agency headed by an official listed in 34 CFR §99.31(a)(3) [i.e., Comptroller General of U.S., U.S. Attorney General, U.S. Secretary of Education, and State or local educational authorities] to conduct – with respect to Federal – or State-supported education programs – any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs.
For more information, see the Family Educational Rights and Privacy Act regulations, 34 CFR §99.3.
FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Blurring is a disclosure limitation method which is used to reduce the precision of the disclosed data to minimize the certainty of individual identification. There are many possible ways to implement blurring, such as by converting continuous data elements into categorical data elements (e.g., creating categories that subsume unique cases), aggregating data across small groups of respondents, and reporting rounded values and ranges instead of exact counts to reduce the certainty of identification. Another approach involves replacing an individual's actual reported value with the average group value; it may be performed on more than one variable with different groupings for each variable
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
A brute-force attack is a type of malicious attack against a system in which the attacker repeatedly attempts to gain access by presenting all possible combinations of access credentials until a match is found. A hacker attempting to gain access to a system by guessing all possible combinations of characters in a password is an example of a brute-force attack.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
Coarsening disclosure limitation techniques preserve the individual respondent's data by reducing the level of detail used to report some variables. Examples of this technique include recoding continuous variables into intervals, recoding categorical data into broader intervals, and top- or bottom-coding the ends of continuous distributions.
For more information, see the NCES Statistical Standards.
Configuration management policy also referred to as Secure Configuration Management policy, is the management of security features through control of changes made to hardware, software, firmware, and security documentation throughout the life cycle of an information system.
Additional information is available in the PTAC publication Data Security: Top Threats to Data Protection.
Cross site request forgery is a type of malicious exploit where an attacker gains access to and executes unauthorized commands on a target web application (e.g., web interface for a network device or web email client) via the browser of an already authenticated user. The attack is accomplished by tricking a validated user who has logged in and has a session cookie stored in the browser into opening an email message or visiting a webpage with imbedded malicious content.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
Cross site scripting (XSS) is a type of computer security vulnerability that uses malicious script imbedded in an otherwise benign and trusted web application to gather user data. When the script is executed (e.g., when a user clicks on a compromised link in an email message or reads an infected forum post), sensitive user data can be accessed by the attacker.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
Cryptographic hash algorithm is a well-defined computational procedure that takes variable inputs (e.g., individual’s name or a password in plain text) and produces a fixed-size hash value (also known as message digest), such that any accidental or intentional change of the input (e.g., user mistyping a password) would produce a different hash value.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
A data breach is the intentional or unintentional release of secure information to an untrusted environment.
Additional information preventing a data breach is available in the PTAC publication Data Security and Management Training: Best Practice Considerations.
Data security is the means of ensuring that data are kept safe from corruption and that access to it is suitably controlled. The primary goal of any information and technology security system is to protect information and system equipment without unnecessarily limiting access to authorized users and functions.
Additional information is available in the PTAC publication Data Security and Management Training: Best Practice Considerations.
Data stewards are managers and administrators within an organization who are responsible for implementing data governance policies and standards and maintaining data quality and security.
Additional information is available in the PTAC publication Data Governance and Stewardship.
Data stewardship can be defined as a comprehensive approach to data management to ensure quality, integrity, accessibility, and security of the data.
Additional information is available in the PTAC publication Data Governance and Stewardship.
FERPA regulations define dates of attendance as the period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter. The term does not include specific daily records of a student's attendance at an educational agency or institution. See also Attendance.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
See Disclosure limitation method.
Additional information on De-identification strategy and Disclosure limitation method is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Direct identifiers include information that relates specifically to an individual such as the individual’s residence, including for example, name, address, Social Security Number or other identifying number or code, telephone number, e-mail address, or biometric record. See also Indirect Identifier.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Directory information is information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Typically, "directory information" includes information such as name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance. A school may disclose "directory information" to third parties without consent if it has given public notice of the types of information which it has designated as "directory information," the parent's or eligible student's right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information." 34 CFR § 99.3 and 34 CFR § 99.37.
For more information, see the PTAC publication Protecting Student Privacy While Using Online Educational Services.
FERPA regulations define disciplinary action or proceeding as the investigation, adjudication, or imposition of sanctions by an educational agency or institution with respect to an infraction or violation of the internal rules of conduct applicable to students of the agency or institution.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information (PII) by any means (34 CFR §99.3). Disclosure can be Authorized, such as when a parent or an eligible student gives written consent to share education records with an authorized party (e.g., a researcher). Disclosure can also be Unauthorized or inadvertent (accidental). An unauthorized disclosure can happen due to a data breach or a loss, and an accidental disclosure can occur when data released in public aggregate reports are unintentionally presented in a manner that allows individual students to be identified.
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
Disclosure avoidance refers to the efforts made to de-identify the data in order to reduce the risk of disclosure of personally identifiable information (PII). A choice of the appropriate de-identification strategy (also referred to as disclosure limitation method) depends on the nature of the data release, the level of protection offered by a specific method, and the usefulness of the resulting data product. The two major types of data release are aggregated data (such as tables showing numbers of enrolled students by race, age, and sex) and microdata (such as individual-level student assessment results by grade and school). Several acceptable de-identification methods exist for each type of data (see disclosure limitation method for more details).
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
Disclosure limitation method (also known as disclosure avoidance method) is a general term referring to a statistical technique used to manipulate the data prior to release to minimize the risk of inadvertent or unauthorized disclosure of personally identifiable information (PII).
Additional information on data de-identification and data governance is available in the PTAC publications Data De-identification: An Overview of Basic Terms, and Data Governance and Stewardship.
An early childhood education program is defined as:
(a) A Head Start program or an Early Head Start program carried out under the Head Start Act, including a migrant or seasonal Head Start program, an Indian Head Start program, or a Head Start program or an Early Head Start program that also receives State funding;
(b) A State licensed or regulated child care program; or
(c) A program that
Additional information is available in the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3 and in the PTAC publication Checklist: Data Sharing Agreement.
Education program is defined as any program principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution.
For more information, see the Family Educational Rights and Privacy Act regulations, 34 CFR § 99.3.
Education records are those records that are directly related to a student and are maintained by an educational agency or institution or by a party acting for the agency or institution.
For more information, see 20 U.S.C. §1232g(a)(4)(A) and the Family Educational Rights and Privacy Act regulations, 34 CFR §99.3.
Additional information is available in the PTAC publication Checklist: Data Sharing Agreement.
Educational agency or institution refers to any public or private agency or institution to which funds have been made available under any program administered by the Secretary, if the educational institution provides educational services or instruction, or both, to students; or the educational agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions. For more information, see the Family Educational Rights and Privacy Act regulations, 34 CFR §99.1.
Additional information is available in the PTAC publications Checklist: Data Security and Data Governance and Stewardship.
FERPA defines an eligible student as a student who has reached 18 years of age or is attending a postsecondary institution at any age. This means that, at the secondary level, once a student turns 18, all the rights that once belonged to his or her parents transfer to the student. However, a secondary school or postsecondary institution may still provide an eligible student’s parents with access to education records, without the student’s consent, if the student is claimed as a dependent for IRS tax purposes.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Encryption is the process of transforming information using a cryptographic algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as an encryption/decryption key.
Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Additional information about the Family Educational Privacy Act, 34 CFR § 99, available on the U.S. Department of Education web site, and in the PTAC publication Data Security and Management Training: Best Practice Considerations.
FERPA regulations define financial aid as a payment of funds provided to an individual (or a payment in kind of tangible or intangible property to the individual) that is conditioned on the individual's attendance at an educational agency or institution.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.31.
Identifiable form refers to any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Identification is the process that a system uses to recognize a valid user’s asserted identity. It is the first step in the authentication and authorization process where the user requesting access is asserting that he or she is a valid user. This differs from the authentication process during which the user provides a proof, or factors which prove, that the user really is the person he or she claims to be.
Additional information on authentication is available in the PTAC publication Identity Authentication Best Practices.
Identity disclosure occurs when data in a student level file or aggregate data in tabulations allow the data user to identify a student.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
FERPA regulations define an institution of postsecondary education as an institution that provides education to students beyond the secondary school level.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Instructional Material is defined in Protection of Pupil Rights Amendment (PPRA) as all material provided to a student, regardless of format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.
For more information, see the September 2009 Letter to Superintendents.
FERPA regulations define a law enforcement unit as any individual, office, department, division, or other component of an educational agency or institution, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that agency or institution to: (i) enforce any local, State, or Federal law, or refer to appropriate authorities a matter for enforcement of any local, State, or Federal law against any individual or organization other than the agency or institution itself; or (ii) maintain the physical security and safety of the agency or institution. A component of an educational agency or institution does not lose its status as a ""law enforcement unit"" if it also performs other, non-law enforcement functions for the agency or institution, including investigation of incidents or conduct that constitutes or leads to a disciplinary action or proceedings against the student.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.8.
Masking is a disclosure limitation method that is used to “mask” the original values in a data set to achieve data privacy protection. This general approach uses various techniques, such as data perturbation, to replace sensitive information with realistic but inauthentic data or modifies original data values based on pre-determined masking rules (e.g., by applying a transformation algorithm). The purpose of this technique is to retain the structure and functional usability of the data, while concealing information that could lead to the identification, either directly or indirectly, of an individual student. Masked data are used to protect individual privacy in public reports and can serve as a useful alternative for occasions when the real data are not required, such as user training or software demonstration. Specific masking rules may vary depending on the sensitivity level of the data and organizational data disclosure policies.
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
Network security mechanisms are the security products and policies used by network security personnel to prevent and monitor unauthorized access misuse, modification, or denial of the information system and network resources. For example, anti-virus and e-mail security software are network security mechanisms.
Additional information is available in the PTAC publication Data Security: Top Threats to Data Protection.
FERPA regulations define a party as an individual, agency, institution, or organization.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Perimeter security mechanisms are the specific security policies and products used at the network perimeter which is defined as the boundary between the private locally managed and operated side of the network and the public side of the network. For example, a firewall and an intrusion detection system are perimeter security mechanisms.
Additional information is available in the PTAC publication Data Security: Top Threats to Data Protection.
Personal information collected from students is a PPRA term referring to individually identifiable information including a student’s or parent’s first and last name; a home or other physical address (including street name and the name of the city or town); a telephone number; or a Social Security identification number collected from any elementary or secondary school student.
Additional information on PPRA is available at 20 U.S.C. § 1232h(c)(6)(E); additional information on protecting the privacy of students’ personal information is available in the PTAC publication Protecting Student Privacy While Using Online Educational Services.
Personally identifiable information (PII) includes information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.
Additional information on PII is available in the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, and in the PTAC publication Checklist: Data Governance
Personally identifiable information for education records is a FERPA term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.
See Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, for a complete definition of PII specific to education records and for examples of other data elements that are defined to constitute PII. Additional information is available in the PTAC publication Protecting Student Privacy While Using Online Educational Services.
Perturbation is a disclosure limitation method which involves making small changes to the data to prevent identification of individuals from unique or rare population groups. Data perturbation is a data masking technique in that it is used to “mask” the original values in a data set to avoid disclosure.
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
Record code refers to the unique descriptor that can be used to match individual-level records across de-identified data files from the same source (e.g., for the purposes of comparing performance of individual students over time).
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
Redaction is a general term describing the process of expunging sensitive data from the records prior to disclosure in a way that meets established disclosure requirements applicable to the specific data disclosure occurrence (e.g., removing or obscuring PII from published reports to meet federal, state, and local privacy laws as well as organizational data disclosure policies). (See disclosure limitation method for more information about specific techniques that can be used for data redaction.)
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
A re-identification code enables an authorized researcher to return to the source of de-identified data and match the de-identified data to the source records.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Risk assessment is the process of identifying: (1) all assets an organization possesses, (2) all potential threats to those assets, (3) all points of vulnerability to those threats, (4) the probability of potential threats being realized, and (5) the cost estimates of potential losses. Risk assessment enables an organization to at least consider the range of potential threats and vulnerabilities it faces, and is the first step in effectively securing an information and technology system.
Additional information is available in the PTAC publication Data Security and Management Training: Best Practice Considerations.
Sanitization of the Media is a process which is applied to data or storage media to make data retrieval unlikely for a given level of effort. Clear, Purge, and Destroy are actions that can be taken to sanitize data and media.
Additional information is available in the PTAC publication Best Practices for Data Destruction.
School official means any employee, including teacher, that the school or district has determined to have a “legitimate educational interest” in the personally identifiable information from an education record of a student. School officials may also include third party contractors, consultants, volunteers, service providers, or other party with whom the school or district has outsourced institutional services or functions for which the school or district would otherwise use employees under the school official exception in FERPA.
Additional information about the Family Educational Privacy Act is available at 34 CFR § 99.31(a)(1); additional information about protecting student privacy is available in the PTAC publication Protecting Student Privacy While Using Online Educational Services.
Secure file transfer protocol is a broad term referring to network technology used to encrypt authentication information and data files in transit, so that data files can be safely accessed, transferred, and managed.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
Security token is a physical (hardware or software) device, which a user possesses that serves to prove that the user requesting access is in fact who he or she claims to be. Examples of tokens include smart cards, key fobs, and USB keys.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
SQL injection is an attack technique exploiting security vulnerability of a website to gain access to its operations (e.g., to steal, delete, or modify the content of a database). It is often accomplished by inserting malicious SQL statements into user-input field on a web application form.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
FERPA regulations define student as any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records.
For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3.
Suppression is a disclosure limitation method which involves removing data (e.g., from a cell or a row in a table) to prevent the identification of individuals in small groups or those with unique characteristics.
Additional information is available in the PTAC publication Data De-identification: An Overview of Basic Terms.
A targeted request refers to a request for data in which the person requesting the information is trying to get information about a specific student. For example, if there was a rumor published in the local paper that a public official was disciplined for cheating during his senior year in high school, a request to the high school for the disciplinary records of students who were caught cheating during the year the public official was a senior would be considered a targeted request.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.
Transport Layer Security (TLS) is a cryptographic network protocol that provides authentication confidentiality, and data integrity between two communicating applications. TLS is used as a mechanism to protect sensitive data during electronic dissemination across the Internet.
Additional information is available in the PTAC publication Identity Authentication Best Practices.
Unauthorized disclosure occurs when personally identifiable information from a student’s education record is made available to a third party who does not have legal authority to access the information. Such an unauthorized disclosure can happen inadvertently, as occurs when information about an individual is unintentionally revealed through, for example, a security breach of the electronic system that is used to maintain and access the education records, or when a teacher or administrator accidentally leaves paper reports that include personally identifiable information in an unsecured location. See also Authorized Disclosure, Disclosure, and Identity Disclosure.
For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.