System of Records for MSIX

FR Doc E7-23541
[Federal Register: December 5, 2007 (Volume 72, Number 233)]
[Notices]               
[Page 68572-68576]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05de07-42]                                                                                  
                                                      
                                        

Download: 

-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

 
Privacy Act of 1974; System of Records--Migrant Student 
Information Exchange

AGENCY: Office of Elementary and Secondary Education, Department of 
Education.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended 
(Privacy Act), the Department of Education (Department) publishes this 
notice of a new system of records entitled ``Migrant Student 
Information Exchange'' (MSIX) (18-14-04).
    MSIX will contain information on migrant students who participate 
in the Migrant Education Program (MEP) authorized under Title I, Part C 
of the Elementary and Secondary Education Act of 1965 (ESEA), as 
amended by the No Child Left Behind Act of 2001 (Pub. L. 107-110). 
Section 1308(b)(2) of ESEA (20 U.S.C. 6398(b)(2)) specifically

[[Page 68573]]

authorizes the implementation of MSIX and its associated minimum data 
elements (MDEs). This statutory provision requires the Secretary to 
ensure the linkage of migrant student record systems for the purpose of 
electronically exchanging, among the States, health and educational 
information regarding all migratory students.

DATES: The Department seeks comment on the new system of records 
described in this notice, in accordance with the requirements of the 
Privacy Act. We must receive your comments on the proposed routine uses 
for the system of records described in this notice on or before January 
4, 2008.
    The Department filed a report describing the new system of records 
covered by this notice with the Chair of the Senate Committee on 
Homeland Security and Governmental Affairs, the Chair of the House 
Committee on Oversight and Government Reform, and the Administrator of 
the Office of Information and Regulatory Affairs, Office of Management 
and Budget (OMB) on November 30, 2007. This system of records will 
become effective at the later date of--(1) the expiration of the 40-day 
period for OMB review on January 9, 2008 or (2) January 4, 2008, unless 
the system of records needs to be changed as a result of public comment 
or OMB review.

ADDRESSES: Address all comments about the proposed routine uses to 
Jennifer Dozier, Office of Elementary and Secondary Education, U.S. 
Department of Education, 400 Maryland Avenue, SW., room 3E327, 
Washington, DC 20202. Telephone: (202) 205-4421. If you prefer to send 
comments through the Internet, use the following address: 
[email protected].

    You must include the term ``Migrant Student Information Exchange'' 
in the subject line of the electronic message.
    During and after the comment period, you may inspect comments about 
this notice in room 2W224, 400 Maryland Avenue, SW., Washington, DC, 
between the hours of 8 a.m. and 4:30 p.m., Eastern time, Monday through 
Friday of each week except Federal holidays.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking 
Record

    On request, we will supply an appropriate aid, such as a reader or 
print magnifier, to an individual with a disability who needs 
assistance to review the comments or other documents in the public 
rulemaking record for this notice. If you want to schedule an 
appointment for this type of aid, please contact the person listed 
under FOR FURTHER INFORMATION CONTACT.

FOR FURTHER INFORMATION CONTACT: Jennifer Dozier. Telephone: (202) 205-
4421. If you use a telecommunications device for the deaf (TDD), call 
the Federal Relay Service (FRS) at 1-800-877-8339.
    Individuals with disabilities can obtain this document in an 
alternative format (e.g., Braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under this section.


SUPPLEMENTARY INFORMATION: 

Introduction

    MSIX will provide the technology that will allow all States, in 
accordance with applicable law, to share educational and health 
information on migrant children who travel from State to State due to 
their migratory lifestyle and who, as a result, have student records in 
the migrant student databases of multiple States. Authorized 
representatives of State and local agencies will use MSIX to assist 
with school enrollment, grade placement, and accrual of course credits 
for migrant children nationwide. In doing so, MSIX will work in concert 
with the existing migrant student information systems that States 
currently use to manage their migrant student data. Authorized 
representatives of State educational agencies (SEAs), local educational 
agencies (LEAs), and other MEP local operating agencies will use MSIX 
to retrieve educational and health information on migrant students who 
move from State to State due to their migrant lifestyle.
    The Privacy Act (5 U.S.C. 552a(e)(4)) requires the Department to 
publish in the Federal Register this notice of a new system of records 
maintained by the Department. The Department's regulations implementing 
the Privacy Act are contained in the Code of Federal Regulations (CFR) 
in 34 CFR part 5b.
    The Privacy Act applies to information about individuals that 
contains individually identifying information that is retrieved by a 
unique identifier associated with each individual, such as a name or 
social security number. The information about each individual is called 
a ``record,'' and the system, whether manual or computer-based, is 
called a ``system of records.'' The Privacy Act requires each agency to 
publish notices of new or altered systems of records in the Federal 
Register and to submit reports to the Administrator of the Office of 
Information and Regulatory Affairs, OMB, the Chair of the Senate 
Committee on Homeland Security and Governmental Affairs, and the Chair 
of the House Committee on Oversight and Government Reform, whenever the 
agency publishes a new or altered system of records.

Electronic Access to This Document

    You may view this document, as well as all other documents of this 
Department published in the Federal Register, in text or Adobe Portable 
Document Format (PDF) on the Internet at the following site: 
http://www2.ed.gov/news/fedregister/.

    To use PDF you must have Adobe Acrobat Reader, which is available 
free at this site. If you have questions about using PDF, call the U.S. 
Government Printing Office (GPO), toll free, at 1-888-293-6498, or in 
the Washington, DC, area at (202) 512-1530.

    Note: The official version of this document is the document 
published in the Federal Register. Free Internet access to the 
official edition of the Federal Register and the CFR is available on 
GPO Access at: http://www.gpoaccess.gov/nara/index.html.



    Dated: November 30, 2007.
Kerri L. Briggs,
Assistant Secretary for Elementary and Secondary Education.
    For the reasons discussed in the preamble, the Assistant Secretary 
for Elementary and Secondary Education publishes a notice of a new 
system of records to read as follows:
18-14-04

SYSTEM NAME:
    Migrant Student Information Exchange (MSIX).

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    (1) U.S. Department of Education, Office of Elementary and 
Secondary Education, Office of Migrant Education, 400 Maryland Avenue, 
SW., room 3E344, Washington, DC 20202-4614.
    (2a) Deloitte LLC, 4301 North Fairfax Drive, Suite 210, Arlington, 
VA 22203-1633 (software development and programming).
    (2b) Deloitte LLC, 110 West 7th Street, Suite 1100, Tulsa, OK 
74119-1107 (help desk for MSIX).
    (3a) EDS Data Center, 6031 South Rio Grande Avenue, Orlando, FL 
32809-4613 (MSIX Production Servers).
    (3b) EDS, 12000 Research Parkway, Orlando, FL 32826-2943 (back-up 
tapes).
    (4) Navasite Data Center, 8619 Westwood Center Drive, Vienna, VA 
22182-2220 (disaster recovery site).

[[Page 68574]]

    (5) Access to MSIX is available through the Internet from other 
locations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system contains records on all children whom States have 
determined to be eligible to participate in the MEP, authorized in 
Title I, Part C of the Elementary and Secondary Education Act of 1965 
(ESEA), as amended by the No Child Left Behind Act of 2001 (Pub. L. 
107-110).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records in the system include the migrant 
child's: Name, date of birth, personal identification numbers assigned 
by the States and the Department, parent's or parents' name or names, 
school enrollment data, school contact data, assessment data, and other 
educational and health data necessary for accurate and timely school 
enrollment, grade and course placement, and accrual of course credits. 
The final request for public comment on the minimum data elements 
(MDEs) to be included in MSIX was published, pursuant to the Paperwork 
Reduction Act of 1995 clearance process, in the Federal Register on 
August 3, 2007 (72 FR 43253-34). More information on the 66 MDEs is 
available in the Department's Information Collection Notice at: 
http://edicsweb.ed.gov/.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    MSIX is authorized under section 1308(b)(2) of the ESEA, as amended 
by the No Child Left Behind Act of 2001 (20 U.S.C. Section 6398(b)(2)).

PURPOSE(S):
    The purpose of MSIX is to enhance the continuity of educational and 
health services for migrant children by providing a mechanism for all 
States to exchange educational and health related information on 
migrant children who move from State to State due to their migratory 
lifestyle. It is anticipated that the existence and use of MSIX will 
help to improve the timeliness of school enrollments, improve the 
appropriateness of grade and course placements, and reduce incidences 
of unnecessary immunizations of migrant children. Further, MSIX will 
facilitate the accrual of course credits for migrant children in 
secondary school by providing accurate academic information on the 
student's course history and academic progress.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The Department of Education (Department) may disclose information 
contained in a record in this system of records, under the routine uses 
listed in this system of records, without the consent of the individual 
if the disclosure is compatible with the purposes for which the record 
was collected. The Department may make these disclosures on a case-by-
case basis or, if the Department has complied with the computer 
matching requirements of the Privacy Act, as amended, under a computer 
matching agreement.
    (1) MEP Services, School Enrollment, Grade or Course Placement, 
Accrual of High School Credits, Student Record Match Resolution. The 
Department may disclose a record in this system of records to 
authorized representatives of State education agencies (SEAs), local 
education agencies (LEAs), and other MEP local operating agencies 
(LOAs) to facilitate one or more of the following for a student: (a) 
Participation in the MEP, (b) enrollment in school, (c) grade or course 
placement, (d) credit accrual, and (e) unique student match resolution.
    (2) Contract Disclosure. If the Department contracts with an entity 
for the purposes of performing any function that requires disclosure of 
records in this system to employees of the contractor, the Department 
may disclose the records to those employees who have received the 
appropriate level security clearance from the Department. Before 
entering into such a contract, the Department will require the 
contractor to maintain Privacy Act safeguards, as required under 5 
U.S.C. 552a(m), with respect to the records in the system.
    (3) Research Disclosure. The Department may disclose records from 
this system to a researcher if an appropriate official of the 
Department determines that the individual or organization to which the 
disclosure would be made is qualified to carry out specific research 
related to functions or purposes of this system of records. The 
official may disclose information from this system of records to that 
researcher solely for the purpose of carrying out that research related 
to the functions or purposes of this system of records. The researcher 
will be required to maintain Privacy Act safeguards with respect to the 
disclosed records.
    (4) Freedom of Information Act (FOIA) and Privacy Act Advice 
Disclosure. The Department may disclose records to the U.S. Department 
of Justice (DOJ) or OMB if the Department concludes that disclosure is 
desirable or necessary to determine whether particular records are 
required to be disclosed under FOIA or the Privacy Act.
    (5) Disclosure in the Course of Responding to Breach of Data. The 
Department may disclose records to appropriate agencies, entities, and 
persons when (a) it is suspected or confirmed that the security or 
confidentiality of information in MSIX has been compromised; (b) the 
Department has determined that as a result of the suspected or 
confirmed compromise, there is a risk of harm to economic or property 
interests, identity theft or fraud, or harm to the security or 
integrity of MSIX or other systems or programs (whether maintained by 
the Department or by another agency or entity) that rely upon the 
compromised information; and, (c) the disclosure is made to such 
agencies, entities, and persons who are reasonably necessary to assist 
the Department in responding to the suspected or confirmed compromise 
and in helping the Department prevent, minimize, or remedy such harm.
    (6) Litigation or Alternative Dispute Resolution (ADR) Disclosure.
    (a) Introduction. In the event that one of the following parties is 
involved in litigation or ADR, or has an interest in litigation or ADR, 
the Department may disclose certain records to the parties described in 
paragraphs b, c, and d of this routine use under the conditions 
specified in those paragraphs:
    (i) The Department or any of its components.
    (ii) Any Department employee in his or her official capacity.
    (iii) Any employee of the Department in his or her individual 
capacity where DOJ has agreed to or has been requested to provide or 
arrange for representation of the employee.
    (iv) Any employee of the Department in his or her individual 
capacity where the Department has agreed to represent the employee.
    (v) The United States where the Department determines that the 
litigation is likely to affect the Department or any of its components.
    (b) Disclosure to DOJ. If the Department determines that disclosure 
of certain records to DOJ, or attorneys engaged by DOJ, is relevant and 
necessary to litigation or ADR, and is compatible with the purpose for 
which the records were collected, the Department may disclose those 
records as a routine use to DOJ.
    (c) Adjudicative Disclosure. If the Department determines that 
disclosure of certain records to an adjudicative body before which the 
Department is authorized to appear, individual, or

[[Page 68575]]

entity designated by the Department or otherwise empowered to resolve 
or mediate disputes is relevant and necessary to litigation or ADR, and 
is compatible with the purpose for which the records were collected, 
the Department may disclose those records as a routine use to the 
adjudicative body, individual, or entity.
    (d) Disclosure to Parties, Counsel, Representatives, and Witnesses. 
If the Department determines that disclosure of certain records to a 
party, counsel, representative, or witness is relevant and necessary to 
litigation or ADR, and is compatible with the purpose for which the 
records were collected, the Department may disclose those records as a 
routine use to a party, counsel, representative, or witness.
    (7) Congressional Member Disclosure. The Department may disclose 
information from a record of an individual to a member of Congress and 
his or her staff in response to an inquiry from the member made at the 
written request of that individual. The member's right to the 
information is no greater than the right of the individual who 
requested it.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Not applicable to this system notice.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    The Data Center of the Department's contractor, EDS, stores 
computerized student records on server hardware and MSIX backup tapes, 
including MSIX Help Desk tapes, in locked file cabinets.

RETRIEVABILITY:
    Records in this system are indexed by a unique number, assigned to 
each individual, that is cross-referenced by the individual's name.

SAFEGUARDS:
    (1) Introduction
    Security personnel control and monitor all physical access to the 
site of the Department's contractor and subcontractors, where this 
system of records is maintained. The computer system employed by the 
Department offers a high degree of resistance to tampering and 
circumvention. This computer system limits data access to Department 
and contract staff on a ``need to know'' basis, and controls individual 
users' ability to access and alter records within the system by 
granting user names and passwords, and assigning user roles to 
individuals that restrict access based on user category (e.g., district 
administrator, counselor, state administrator).
    The contractor has established a set of procedures to ensure 
confidentiality of data, and will maintain the security of the complete 
set of all master data files and documentation. The contractor and 
subcontractor employees who collect, maintain, use, or disseminate data 
in this system, must comply with the requirements of the Privacy Act.
    (2) Physical Security of Electronic Data
    Physical security of electronic data will be maintained. The MSIX 
infrastructure is housed in a secured data center, access to which is 
controlled by multiple access controls. These access controls include a 
combination of personal photo identification/card scans, biometric hand 
scanning, and personal access codes. These access controls also include 
man-traps and physical barricades that limit access to the data center 
floor and machine rooms. Further, all entrances, exits, and key points 
throughout the facility are monitored in real-time via closed circuit 
television (CCTV) 24 hours per day. All CCTV is recorded and stored on 
tape for audit purposes. These access control mechanisms are centrally 
managed by resources within the data center, which is staffed 24 hours 
per day.
    Security personnel are required to inspect picture identification 
and have visitors sign in before granting access to the facility. 
Visitors are pre-authorized and registered in a database at least 24 
hours prior to their arrival, and are required to provide picture 
identification that matches the name given previously to the data 
center. All personnel are required to display an identification badge 
or an authorized visitor badge at all times while on the premises; and 
all packages brought into the data center are subject to inspection.
    Backup tapes are employed, and numerous mechanisms protect the 
physical security of these backup tapes. First, in the event of a 
disaster recovery situation, MSIX backup tapes will be transferred in 
locking containers. Contractor and subcontractor employees holding 
Department of Defense (DoD) Secret or Interim Secret clearances will 
ship the tapes from the EDS Data Center to the Navasite Data Center, 
the disaster recovery site. Thus, the MSIX system can be restored in 
the event of a disaster at the Navasite Data Center. Second, the backup 
tapes are stored in a tape library within the EDS Data Center and are 
only available to authorized personnel. Access to the backup tapes is 
limited through the use of biometric access control mechanisms. Third, 
the backup tapes are stored in fireproof safes.
    (c) User Access to Electronic Data
    MSIX incorporates a series of security controls mandated by the 
Federal Information Security Management Act of 2002 (FISMA) and the 
Department. MSIX leverages role-based accounts and security controls to 
limit access to the application, its servers, and its infrastructure to 
authorized users. All MSIX users must follow a registration process 
that involves identity validation and verification prior to gaining 
access to MSIX. Once validated and approved, MSIX User Administrators 
will grant access to authorized users by creating their MSIX accounts 
and assigning the appropriate MSIX roles. MSIX requires users to use 
strong passwords, comprised of alphanumeric and special characters, and 
uses Oracle's Internet Directory (OID) application to manage its user 
accounts. OID stores the name of each MSIX user, each MSIX user's 
associated roles and access privileges, and each MSIX user's passwords 
using an encrypted format. The MSIX application is only available to 
authorized users via a Uniform Resource Locator (URL) that runs under 
the Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). No 
user may alter records in this system of records except to identify and 
assign a student a unique student identifier through the record 
matching process. Further, MSIX limits data submissions from State 
systems to specific Internet Protocol addresses and requires the use of 
Secure File Transfer Protocol.
    (d) Additional Security Measures
    The MSIX infrastructure also leverages a series of firewalls to 
limit internal access to specific protocols and ports, as well as 
intrusion detection systems to help identify unauthorized access to 
MSIX. MSIX logs and tracks login attempts, data modifications, and 
other key application and system events. The MSIX operations and 
maintenance team monitors these logs on a regular basis. Further, the 
MSIX operations and maintenance team performs vulnerability scans on a 
routine basis, monitors the U.S. Computer Emergency Response Team 
(CERT) bulletins (see http://www.us-cert.gov/ for more details), and 
applies routine operating system and vendor patches as appropriate.

Retention and Disposal:
    Records are maintained and disposed of in accordance with the 
Department's Records Disposition Schedules as listed under ED 231--
Public and Restricted Use Data Files--Studies.

[[Page 68576]]

System Manager and Address:
    Director, Office of Migrant Education, U.S. Department of 
Education, 400 Maryland Avenue, SW., room 3E317, Washington, DC 20202-
0001.

Notification Procedure:
    If you wish to determine whether a record exists regarding you in 
the system of records, contact the system manager at the address listed 
under, SYSTEM MANAGER AND ADDRESS. Your request must meet the 
requirements of regulations in 34 CFR 5b.5, including proof of 
identity.

Record Access Procedure:
    If you wish to gain access to your record in the system of records, 
contact the system manager at the address listed under SYSTEM MANAGER 
AND ADDRESS. Your request must meet the requirements of regulations in 
34 CFR 5b.5, including proof of identity.

Contesting Record Procedure:
    If you wish to contest the content of a record regarding you in the 
system of records, contact the system manager at the address listed 
under, SYSTEM MANAGER AND ADDRESS. Your request must meet the 
requirements of regulations in 34 CFR 5b.7, including proof of 
identity.

Record Source Categories:
    The system will contain records that are obtained from SEAs and 
LEAs.

Exemptions Claimed for the System:
    None.

 [FR Doc. E7-23541 Filed 12-4-07; 8:45 am]

BILLING CODE 4000-01-P