Protecting Student Privacy
OSPI takes seriously its obligations to secure data systems and protect the privacy of students. Strict processes help safeguard the confidentiality and security of the data.
Download PDF version
One of the most effective ways to improve teaching and learning is to collect and analyze data. It tells us if students are on track for graduation, college, and careers, or if they need additional help. It tells schools if their education programs are working. It helps state leaders make informed decisions based on facts, rather than anecdotes.
Data can be collected either because it was mandated by the state Legislature or it was approved by OSPI’s data governance workgroup, which includes employees from school districts and statewide organizations, as well as researchers. For data collection to be approved, there must be a compelling reason to have it. What student data does OSPI collect?
- Student demographics (name, date of birth, race/ ethnicity, gender, language spoken at home).
- Enrollment (school, district, grade level, entry date, exit date and reason).
- Programs (special education, highly capable, free and reduced-price lunch, English language learner).
- Grade history (high school) and student schedule.
- Absences (full-day or half-day absence and date, excused or unexcused).
- Discipline (suspensions or expulsions, number of days, associated behavior type).
- Assessments (state test scores, Student Growth Percentiles (SGPs), alternative assessments).
The Family Educational Rights and Policy Act (FERPA) is a federal law passed in 1974. Among other provisions, FERPA requires schools to get permission from a parent or eligible student (a student who is at least 18 years old or is enrolled in a college or university) before the school releases data that personally identifies that student. FERPA allows for the sharing of student information without permission in certain instances, such as when:
- School officials, including contractors, have a legitimate educational interest in the data.
- Determining financial aid.
- Developing, validating, or administering predictive tests.
- Administering student aid programs.
- Local, state, and certain federal representatives conduct an audit of or evaluate a school’s education program.
Under state law, records retained by state and local agencies are generally subject to disclosure under the Public Records Act. This requirement, however, doesn’t apply to personal information in any files maintained for students in public schools (RCW 42.56.230).
Federal laws require OSPI to make certain student testing data available at a summary level. Summary data allow us to answer questions such as, “How many of Adams High School’s students are Asian?” or “How many of Jefferson Middle School’s 8th graders met standard on the statewide math test?” Summary data may be found online:
Sometimes, OSPI enters into agreements to share more specific data that may include student names. These agreements allow researchers, state contractors, and some state government agencies who act on behalf of OSPI or local school districts to study, audit, and evaluate our public school system, administer tests, or improve instruction.
These agreements involve a signed, written contract between OSPI and the organization receiving the data, and require the recipient to specify the student data being shared and the purpose and duration of use, to maintain the confidentiality of the data, and to destroy the data when they are no longer needed.
Some researchers who aren’t acting on behalf of a school district or the state request de-identified student-level data—that is, data that don’t include students’ names and State Student Identification numbers—to conduct independent studies of our school system. These researchers must submit a detailed request form including a description of the research, planned analyses, and a justification for the requested data. If approved by OSPI’s review panel, the researchers must sign a written agreement with OSPI, including requirements to maintain the security of the data and to take no steps to use the data to identify individual students. OSPI never shares identifiable student-level data with the general public.
OSPI maintains an Information Technology security program that is updated at least annually. The program consists of annual security training, third-party risk assessments, security testing, and audits. OSPI’s systems are updated regularly to prevent unauthorized access to our systems.
OSPI maintains a variety of agency policies that address data and information privacy and are intended to secure all media containing sensitive or confidential data.
Generally, no. If your child goes to public school, he/she must be included in counts and summary reports about public education. School districts are required to submit information to the state on all its students. However, through the school, you can opt out of having your child’s directory information shared with other entities. Directory information includes things like the student’s name, address, telephone listing, and email address