§95.1001: Operation of Education Research Centers

(a) Definitions. The following words and terms, when used in this section, shall have the following meanings, unless the context clearly indicates otherwise.

(1) FERPA--the Family Educational Rights and Privacy Act, 42 U.S.C. 1232g, including regulations and informal written guidance issued by the United States Department of Education and any amendments or supplementation thereof.

(2) Confidential information--as applied to data provided to an Education Research Center (ERC) by the Texas Education Agency (TEA) or the Texas Higher Education Coordinating Board (THECB) includes all student-level data, including any data cells small enough to allow identification of an individual student. All social security numbers, student names, student birthdates, and data cells containing between one and four students, inclusive, are confidential.

(3) Small data cells--any cell containing between one and four students inclusive. Information may not be disclosed where small data cells can be determined through subtraction or other simple mathematical manipulations or subsequent cross-tabulation of the same data with other variables. Institutions may use any of the common methods for masking including:

(A) hiding the small cell and the next larger cell on the row and column so the size of the small cell cannot be determined; or

(B) hiding the small cell and displaying the total for both the row and column as a range of at least ten; or

(C) any methodology approved by the TEA and THECB.

(4) Texas Higher Education Coordinating Board--References to the THECB shall also be deemed to include the commissioner of higher education.

(5) Texas Education Agency--References to the TEA shall also be deemed to include the commissioner of education.

(b) Purpose.

(1) ERCs may be established by joint approval of the commissioner of education and the THECB. An ERC may only be established at a sponsoring public institution of higher education (IHE) in Texas, but may be awarded to a consortium of such institutions. An ERC must be physically located within Texas and must retain all data at that location, except for secure off-site data back up in accordance with written procedures approved by the Joint Advisory Board described in subsection (c) of this section. Student level data may not be provided to a researcher at a location other than an ERC, the THECB, or a public IHE located in Texas that is an acknowledged consortium member of the ERC.

(2) The THECB is responsible for general oversight, technical assistance, and state support of ERCs, except as otherwise provided in this chapter. All policy decisions and rulemaking shall be jointly approved by the TEA and the THECB.

(3) Sponsoring IHEs are responsible for all equipment, salaries, and other operating costs of an ERC, including staff and equipment at the TEA and the THECB necessary to prepare and maintain data for the ERCs, as well as reasonable reimbursable expenses of the Joint Advisory Board. Costs will be limited to one full-time equivalent employee at each agency along with associated data storage costs as set by the Texas Department of Information Resources (DIR) for the data center consolidation rates, unless otherwise agreed to by the TEA, the THECB, and the ERCs.

(c) Joint Advisory Board.

(1) The commissioner of education and the commissioner of higher education shall co-chair a Joint Advisory Board to review and approve research involving access to confidential information and to adopt policies governing ERC operations. Each commissioner may delegate to an agency employee the ability to act as co-chair and vote on matters coming before the Joint Advisory Board.

(2) The commissioner of education and the commissioner of higher education shall jointly appoint up to ten additional members to the Joint Advisory Board. All research involving access to confidential information must be approved by the Joint Advisory Board.

(3) Members of the Joint Advisory Board serve at the pleasure of the commissioner of education and the commissioner of higher education and must be reappointed annually. The Joint Advisory Board will post its agenda and conduct its meetings in compliance with the Texas Open Meetings Act.

(4) The Joint Advisory Board shall meet at the call of the two chairs at least twice each year.

(d) Operation.

(1) An ERC may operate only under written authorization by the commissioner of education and the THECB. Status as an ERC may not be assigned, delegated, or transferred to any other entity.

(2) An ERC shall be lead by a managing director who is a professional employee of the sponsoring IHE. The managing director shall report directly to the chief operating officer of the sponsoring IHE unless a different reporting structure is approved by the TEA and the THECB.

(3) All research at an ERC involving access to confidential information shall be conducted only with the approval of and under the joint oversight of the TEA and the THECB through the Joint Advisory Board. Research that does not involve access to confidential information may be conducted by the ERC without approval of the Joint Advisory Board upon 30 days notice to the TEA and the THECB and certification by the ERC that sufficient resources will be available to meet all demands for resources to conduct research or manipulate data under the direction of the Joint Advisory Board or on behalf of the TEA or the THECB.

(4) Confidential information provided to an ERC by the TEA or the THECB shall be protected by procedures to ensure that any unique identifying number is not traceable to any individual. Such procedures must be maintained as confidential by the TEA and the THECB and may not be shared with an ERC, or used for any other purpose. Under no circumstances may social security numbers, names, or birthdates be accessed for the purpose of research at an ERC.

(5) ERCs shall adopt written procedures for research conducted using confidential information, subject to approval by the Joint Advisory Board. An ERC may not access confidential information until all such procedures are approved. Such procedures shall include:

(A) measures to ensure against unauthorized disclosure of confidential information;

(B) independent review of all research products by a designated ERC staff person not involved in that specific project to ensure against unauthorized disclosure of confidential information;

(C) review of all datasets created by a researcher to ensure that confidential information is not copied or removed from the ERC;

(D) annual certification of full compliance with all requirements of state and federal laws and regulations regarding the use of confidential information for research purposes by the internal auditor of each participating IHE;

(E) approval of research design by an accredited IHE, including any applicable requirements for research involving human subjects, before submitting a research proposal to the Joint Advisory Board for approval; and

(F) criteria for allocating research access capacity for researchers not affiliated with the sponsoring IHEs.

(6) All research produced at an ERC shall:

(A) be made available upon request to the TEA and the THECB;

(B) be available for public distribution, copying, or reproduction at no cost to the TEA or the THECB;

(C) contain a disclaimer in a form acceptable to the TEA and the THECB stating that the conclusions of the research do not necessarily reflect the opinion or official position of those entities or of the State of Texas; and

(D) be reviewed before publication or other distribution by individuals other than those conducting the research to ensure that confidential information is not disclosed, in accordance with guidelines adopted under FERPA or by the TEA or the THECB.

(7) An ERC shall comply with the requirements of the Texas Public Information Act, including requirements relating to data manipulation. An ERC shall process any Public Information Act requests referred by the TEA or the THECB in a timely manner. Charges for processing Public Information Act requests shall be based on guidelines developed by the Texas Attorney General's Office and approved by the Joint Advisory Board.

(8) A sponsoring IHE shall cooperate fully with all audit requests made by the TEA or the THECB. Each ERC shall annually request and undergo a security audit performed by the Texas Department of Information Resources, or a contractor approved by that Department, which shall include a penetration test of computer equipment and access.

(9) Research projects that require access to data not then included in the database maintained by the THECB for research will be provided by the THECB or the TEA if available. An ERC will be charged the cost to process or manipulate such data. ERCs will be assessed for annual maintenance costs of the THECB and the TEA as approved by the Joint Advisory Board.

(e) Sanctions and termination.

(1) Upon a determination that confidential information has been released or has been copied to another location, or that appropriate security measures are not in place to protect confidential information, the Joint Advisory Board may require an ERC to obtain appropriate services or equipment or to remove confidential information from such other location in order to remedy a security deficit. Such services or equipment shall be purchased by the ERC from vendors subject to approval of the Joint Advisory Board.

(2) An ERC may be terminated by joint action of the TEA and the THECB for failure to meet the requirements of state or federal law, of this section, or of the terms of a contract establishing the ERC. An ERC shall be entitled to an informal review of a determination to terminate its status by a designee of the commissioner of education and the commissioner of higher education prior to the effective date of the termination.

(3) Notice of termination under paragraphs (1) and (2) of this subsection shall be provided to the ERC's designated representative and shall contain information regarding the reasons for the termination.

(4) A termination made pursuant to this section shall become final and binding unless, within 30 days of its receipt of the notice of termination, the ERC invokes the administrative remedies contained in Chapter 1, Subchapter B, of this title (relating to Dispute Resolution).

(5) Any ultimate recommendation regarding termination shall be made to both the THECB and the commissioner of education. The THECB and the commissioner of education must concur for any termination of an ERC invoking such administrative remedies to become final.

(f) Security.

(1) An ERC must comply with all requirements of FERPA in accessing confidential information to conduct research. Notwithstanding any other provision in this subchapter, failure to maintain adequate security to avoid the unauthorized disclosure of confidential information provided to the ERC shall be grounds for immediate termination of the authorization to access such data.

(2) All physical locations at which confidential information may be accessed at an ERC must be located within Texas, at a sponsoring IHE, and approved by both the TEA and the THECB. Each ERC may provide for off-site data back up of information for disaster recovery purposes in accordance with the DIR processes. No research can be performed at a back-up site.

(3) Either the TEA or the THECB may suspend access to confidential information provided to an ERC based on a significant risk of unauthorized disclosure of confidential information.

Comments

Source Note: The provisions of this §95.1001 adopted to be effective December 30, 2007, 32 TexReg 9625