Data System Privacy

About Data Privacy

Data can be a powerful tool for students, families, and lawmakers when used correctly and with the necessary security and privacy practices in place.

Although data can be used to facilitate change and improvement, there is a need to balance the usefulness of this data with the privacy of the individuals represented by the data.

For more information on who uses student data, see the Data Quality Campaign’s infographic here.

The California Cradle-to-Career Data System (C2C) and Data Privacy

The purpose of C2C is to ensure citizens and families have equitable access to data to make informed decisions about their education and careers and ensure lawmakers and researchers have the information they need to inform policies and practices.

C2C is committed to protecting confidential records of all Californians. The Office of Cradle-to-Career Data does not collect data from students or families. It links and enables the public to gain insights from data that has already been collected and validated by its data partners.

C2C’s privacy policies and procedures follow state and federal laws such as the Family Educational Rights and Privacy Act (FERPA). Its data access and security protocols follow strict federal and state of California standards and best practice technology protocols.

C2C is committed to transparency in its data collections, storage, and disclosure policies and practices.

FAQ: C2C’s Data Privacy

C2C links statewide data from sources that have been historically separated and disconnected. This linking allows the public, lawmakers, State agencies, and researchers to answer complex questions, such as:

Where do young people in my county go after high school?
Are they getting the preparation they need to land and keep jobs with living wages?
What do those trajectories look like when the data is broken down by race, gender, or geography?

Who submits data to C2C?

C2C receives data from validated government & educational sources, covering outcomes from early education, K-12, postsecondary education, and beyond. Please refer to the data elements by provider resource for more information.

How does C2C receive data?

C2C receives data through encrypted channels after it has been collected and validated from its data partners.

How does C2C store data?

Data maintained by C2C is stored on a secure cloud-based system and encrypted while in transit, at rest, and in use. C2C policy ensures careful and frequent reviews of internal IT system controls.

FOR MORE DETAILS ABOUT DATA MAINTAINED BY C2C

In all cases, the Family Educational Rights and Privacy (FERPA) Act and other federal and state laws relevant to data security and privacy, guide whether, with whom, what and how we share confidential data. When these legal requirements permit disclosure, we release the least amount of information necessary, and we make sure recipients understand and agree to the legal requirements contained in state and federal law.

How is data shared with the public and lawmakers?

Formal agreements are established between C2C and all agencies providing data to C2C. C2C builds dashboards, query builders, and has a research request process with the linked data. C2C shares aggregated information about groups of people (not individual-level data) in its data tools. Our dashboard and query builders make it possible for students, families, and lawmakers to disaggregate the data and answer questions important to them. Once C2C’s tools are developed, people will be able to create tables with our query builder feature that display information for groups of people. They will also be able to answer questions by reading C2C’s dashboards and data stories.

How is data shared with researchers?

C2C plans to facilitate a research request process, where C2C’s data partners can review and approve access to deidentified data for specific proposed research projects. Data providers govern their own policies regarding data in accordance with state and federal laws around data privacy. It is ultimately C2C’s data providers’ responsibility to approve research requests.

FOR MORE DETAILS ON THE C2C PLANNED DATA TOOLS

FOR MORE DETAILS ON THE C2C PLANNED RESEARCH REQUEST PROCESS

The public can access aggregated information through the planned data tools on C2C’s website. Additionally, C2C is developing a data request process for researchers to request de-identified data from our data partners to conduct studies. C2C does not grant access to identifiable information from the C2C data system to anyone, including teachers, administrations, and researchers.

What can users of the data system see?

Users are only permitted to see aggregate data unless their role authorizes individual access and data sharing agreements and law permit access.

How does C2C approach system security?

C2C uses a secure cloud-based system leveraging a modern technology stack with backup and disaster recovery capability, and strict adherence to applicable federal, state, and industry standards and best practices.

In addition to deliberation with security representatives from each data provider, C2C has an independent verification and validation team to ensure an accurate assessment of system security.

FOR MORE DETAILS ON THE C2C PLANNED DATA TOOLS

FOR MORE DETAILS ON THE C2C PLANNED RESEARCH REQUEST PROCESS

State law has defined a robust governance structure for C2C and ensures the public has representation. C2C is guided by a 21-member Governing Board which meets quarterly, and is responsible for making decisions that guide the Office in its work, including making decisions on data to be included in the data system. Half of the C2C Governing Board is represented by data providers and the other half is represented by appointees who represent the public users of the data system.

C2C also has two 16-member Advisory Boards – the Data and Tools and Community Engagement and Advisory Boards. These Advisory Boards fully represent the public and provide proposals on the data that should be included in the system, along with recommendations on implementing accessible tools.

C2C has clearly assigned responsibilities for oversight, implementation and monitoring of policies and processes that ensure data are only used or disclosed for proper purposes at every level of the system.

Who ensures data safeguards?

C2C Governing Board members, the Office of C2C, including our Chief Information Security Officer (CISO), ensure the data is safeguarded. CISO representatives from each data provider also provide expertise and advice on data ingestion, maintenance, and security. Additionally, C2C has comprehensive and iterative data validation processes with each data provider to ensure ongoing improvements in interoperability and data quality.

C2C PUBLIC MEETINGS

State and Federal Laws on Data Privacy

State

California Consumer Privacy Act (CCPA) of 2018 and 2020 – California law increasing data privacy protections for California citizens with special provisions for children under 16 and ballot initiative that amends and expands privacy protections under the California Consumer Privacy Act of 2018.
Student Online Personal Information Protection Act — California Business & Professions Code § 22584 – California law including provisions preventing marketing to students and their parents, requirements that student data only be used for specified educational purposes.
California Public Records Act (PRA) – California Government Code §§ 7920.00 – 7931.00 – California law outlining conditions for requesting and receiving records held by public agencies.
California Information Practices Act (IPA) – California Civil Code §§ 1798-1798.1 – California law outlining requirements for collecting and accessing information about public employees.
Employment Records -Unemployment Insurance Code- §§ 1094, 1095– California law on limitations on disclosure of employee wage records

Federal

Family Educational Rights and Privacy Act (FERPA) – 20 United States Code (U.S.C.) § 1232g – Federal law outlining rights and requirements related to accessing, sharing, and amending student records.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) – Federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed.
Higher Education Act of 1965, as amended, §§ 483(a)(3)(E) – Federal law that limits the use of FAFSA application data without a student’s written consent.
Federal-State Unemployment Compensation (Program)- 20 Code of Federal Regulations (CFR) States Code (U.S.C) §§ 603.9 and § 603.10– Federal regulations for disclosures of confidential UC information, including to a third party (other than an agent) or disclosures made on an ongoing basis; requirements for agreements for disclosures of confidential UC information.
Privacy Act of 1974, as amended, 5 U.S.C. § 552a– Federal law establishing a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies, including social security data.