FR Doc E7-23541
[Federal Register: December 5, 2007 (Volume 72, Number 233)]
[Notices]
[Page 68572-68576]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05de07-42]
Download:
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
Privacy Act of 1974; System of Records--Migrant Student
Information Exchange
AGENCY: Office of Elementary and Secondary Education, Department of
Education.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended
(Privacy Act), the Department of Education (Department) publishes this
notice of a new system of records entitled ``Migrant Student
Information Exchange'' (MSIX) (18-14-04).
MSIX will contain information on migrant students who participate
in the Migrant Education Program (MEP) authorized under Title I, Part C
of the Elementary and Secondary Education Act of 1965 (ESEA), as
amended by the No Child Left Behind Act of 2001 (Pub. L. 107-110).
Section 1308(b)(2) of ESEA (20 U.S.C. 6398(b)(2)) specifically
[[Page 68573]]
authorizes the implementation of MSIX and its associated minimum data
elements (MDEs). This statutory provision requires the Secretary to
ensure the linkage of migrant student record systems for the purpose of
electronically exchanging, among the States, health and educational
information regarding all migratory students.
DATES: The Department seeks comment on the new system of records
described in this notice, in accordance with the requirements of the
Privacy Act. We must receive your comments on the proposed routine uses
for the system of records described in this notice on or before January
4, 2008.
The Department filed a report describing the new system of records
covered by this notice with the Chair of the Senate Committee on
Homeland Security and Governmental Affairs, the Chair of the House
Committee on Oversight and Government Reform, and the Administrator of
the Office of Information and Regulatory Affairs, Office of Management
and Budget (OMB) on November 30, 2007. This system of records will
become effective at the later date of--(1) the expiration of the 40-day
period for OMB review on January 9, 2008 or (2) January 4, 2008, unless
the system of records needs to be changed as a result of public comment
or OMB review.
ADDRESSES: Address all comments about the proposed routine uses to
Jennifer Dozier, Office of Elementary and Secondary Education, U.S.
Department of Education, 400 Maryland Avenue, SW., room 3E327,
Washington, DC 20202. Telephone: (202) 205-4421. If you prefer to send
comments through the Internet, use the following address:
[email protected].
You must include the term ``Migrant Student Information Exchange''
in the subject line of the electronic message.
During and after the comment period, you may inspect comments about
this notice in room 2W224, 400 Maryland Avenue, SW., Washington, DC,
between the hours of 8 a.m. and 4:30 p.m., Eastern time, Monday through
Friday of each week except Federal holidays.
Assistance to Individuals With Disabilities in Reviewing the Rulemaking
Record
On request, we will supply an appropriate aid, such as a reader or
print magnifier, to an individual with a disability who needs
assistance to review the comments or other documents in the public
rulemaking record for this notice. If you want to schedule an
appointment for this type of aid, please contact the person listed
under FOR FURTHER INFORMATION CONTACT.
FOR FURTHER INFORMATION CONTACT: Jennifer Dozier. Telephone: (202) 205-
4421. If you use a telecommunications device for the deaf (TDD), call
the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities can obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under this section.
SUPPLEMENTARY INFORMATION:
Introduction
MSIX will provide the technology that will allow all States, in
accordance with applicable law, to share educational and health
information on migrant children who travel from State to State due to
their migratory lifestyle and who, as a result, have student records in
the migrant student databases of multiple States. Authorized
representatives of State and local agencies will use MSIX to assist
with school enrollment, grade placement, and accrual of course credits
for migrant children nationwide. In doing so, MSIX will work in concert
with the existing migrant student information systems that States
currently use to manage their migrant student data. Authorized
representatives of State educational agencies (SEAs), local educational
agencies (LEAs), and other MEP local operating agencies will use MSIX
to retrieve educational and health information on migrant students who
move from State to State due to their migrant lifestyle.
The Privacy Act (5 U.S.C. 552a(e)(4)) requires the Department to
publish in the Federal Register this notice of a new system of records
maintained by the Department. The Department's regulations implementing
the Privacy Act are contained in the Code of Federal Regulations (CFR)
in 34 CFR part 5b.
The Privacy Act applies to information about individuals that
contains individually identifying information that is retrieved by a
unique identifier associated with each individual, such as a name or
social security number. The information about each individual is called
a ``record,'' and the system, whether manual or computer-based, is
called a ``system of records.'' The Privacy Act requires each agency to
publish notices of new or altered systems of records in the Federal
Register and to submit reports to the Administrator of the Office of
Information and Regulatory Affairs, OMB, the Chair of the Senate
Committee on Homeland Security and Governmental Affairs, and the Chair
of the House Committee on Oversight and Government Reform, whenever the
agency publishes a new or altered system of records.
Electronic Access to This Document
You may view this document, as well as all other documents of this
Department published in the Federal Register, in text or Adobe Portable
Document Format (PDF) on the Internet at the following site:
http://www2.ed.gov/news/fedregister/.
To use PDF you must have Adobe Acrobat Reader, which is available
free at this site. If you have questions about using PDF, call the U.S.
Government Printing Office (GPO), toll free, at 1-888-293-6498, or in
the Washington, DC, area at (202) 512-1530.
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the CFR is available on
GPO Access at: http://www.gpoaccess.gov/nara/index.html.
Dated: November 30, 2007.
Kerri L. Briggs,
Assistant Secretary for Elementary and Secondary Education.
For the reasons discussed in the preamble, the Assistant Secretary
for Elementary and Secondary Education publishes a notice of a new
system of records to read as follows:
18-14-04
SYSTEM NAME:
Migrant Student Information Exchange (MSIX).
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
(1) U.S. Department of Education, Office of Elementary and
Secondary Education, Office of Migrant Education, 400 Maryland Avenue,
SW., room 3E344, Washington, DC 20202-4614.
(2a) Deloitte LLC, 4301 North Fairfax Drive, Suite 210, Arlington,
VA 22203-1633 (software development and programming).
(2b) Deloitte LLC, 110 West 7th Street, Suite 1100, Tulsa, OK
74119-1107 (help desk for MSIX).
(3a) EDS Data Center, 6031 South Rio Grande Avenue, Orlando, FL
32809-4613 (MSIX Production Servers).
(3b) EDS, 12000 Research Parkway, Orlando, FL 32826-2943 (back-up
tapes).
(4) Navasite Data Center, 8619 Westwood Center Drive, Vienna, VA
22182-2220 (disaster recovery site).
[[Page 68574]]
(5) Access to MSIX is available through the Internet from other
locations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system contains records on all children whom States have
determined to be eligible to participate in the MEP, authorized in
Title I, Part C of the Elementary and Secondary Education Act of 1965
(ESEA), as amended by the No Child Left Behind Act of 2001 (Pub. L.
107-110).
CATEGORIES OF RECORDS IN THE SYSTEM:
The categories of records in the system include the migrant
child's: Name, date of birth, personal identification numbers assigned
by the States and the Department, parent's or parents' name or names,
school enrollment data, school contact data, assessment data, and other
educational and health data necessary for accurate and timely school
enrollment, grade and course placement, and accrual of course credits.
The final request for public comment on the minimum data elements
(MDEs) to be included in MSIX was published, pursuant to the Paperwork
Reduction Act of 1995 clearance process, in the Federal Register on
August 3, 2007 (72 FR 43253-34). More information on the 66 MDEs is
available in the Department's Information Collection Notice at:
http://edicsweb.ed.gov/.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
MSIX is authorized under section 1308(b)(2) of the ESEA, as amended
by the No Child Left Behind Act of 2001 (20 U.S.C. Section 6398(b)(2)).
PURPOSE(S):
The purpose of MSIX is to enhance the continuity of educational and
health services for migrant children by providing a mechanism for all
States to exchange educational and health related information on
migrant children who move from State to State due to their migratory
lifestyle. It is anticipated that the existence and use of MSIX will
help to improve the timeliness of school enrollments, improve the
appropriateness of grade and course placements, and reduce incidences
of unnecessary immunizations of migrant children. Further, MSIX will
facilitate the accrual of course credits for migrant children in
secondary school by providing accurate academic information on the
student's course history and academic progress.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
The Department of Education (Department) may disclose information
contained in a record in this system of records, under the routine uses
listed in this system of records, without the consent of the individual
if the disclosure is compatible with the purposes for which the record
was collected. The Department may make these disclosures on a case-by-
case basis or, if the Department has complied with the computer
matching requirements of the Privacy Act, as amended, under a computer
matching agreement.
(1) MEP Services, School Enrollment, Grade or Course Placement,
Accrual of High School Credits, Student Record Match Resolution. The
Department may disclose a record in this system of records to
authorized representatives of State education agencies (SEAs), local
education agencies (LEAs), and other MEP local operating agencies
(LOAs) to facilitate one or more of the following for a student: (a)
Participation in the MEP, (b) enrollment in school, (c) grade or course
placement, (d) credit accrual, and (e) unique student match resolution.
(2) Contract Disclosure. If the Department contracts with an entity
for the purposes of performing any function that requires disclosure of
records in this system to employees of the contractor, the Department
may disclose the records to those employees who have received the
appropriate level security clearance from the Department. Before
entering into such a contract, the Department will require the
contractor to maintain Privacy Act safeguards, as required under 5
U.S.C. 552a(m), with respect to the records in the system.
(3) Research Disclosure. The Department may disclose records from
this system to a researcher if an appropriate official of the
Department determines that the individual or organization to which the
disclosure would be made is qualified to carry out specific research
related to functions or purposes of this system of records. The
official may disclose information from this system of records to that
researcher solely for the purpose of carrying out that research related
to the functions or purposes of this system of records. The researcher
will be required to maintain Privacy Act safeguards with respect to the
disclosed records.
(4) Freedom of Information Act (FOIA) and Privacy Act Advice
Disclosure. The Department may disclose records to the U.S. Department
of Justice (DOJ) or OMB if the Department concludes that disclosure is
desirable or necessary to determine whether particular records are
required to be disclosed under FOIA or the Privacy Act.
(5) Disclosure in the Course of Responding to Breach of Data. The
Department may disclose records to appropriate agencies, entities, and
persons when (a) it is suspected or confirmed that the security or
confidentiality of information in MSIX has been compromised; (b) the
Department has determined that as a result of the suspected or
confirmed compromise, there is a risk of harm to economic or property
interests, identity theft or fraud, or harm to the security or
integrity of MSIX or other systems or programs (whether maintained by
the Department or by another agency or entity) that rely upon the
compromised information; and, (c) the disclosure is made to such
agencies, entities, and persons who are reasonably necessary to assist
the Department in responding to the suspected or confirmed compromise
and in helping the Department prevent, minimize, or remedy such harm.
(6) Litigation or Alternative Dispute Resolution (ADR) Disclosure.
(a) Introduction. In the event that one of the following parties is
involved in litigation or ADR, or has an interest in litigation or ADR,
the Department may disclose certain records to the parties described in
paragraphs b, c, and d of this routine use under the conditions
specified in those paragraphs:
(i) The Department or any of its components.
(ii) Any Department employee in his or her official capacity.
(iii) Any employee of the Department in his or her individual
capacity where DOJ has agreed to or has been requested to provide or
arrange for representation of the employee.
(iv) Any employee of the Department in his or her individual
capacity where the Department has agreed to represent the employee.
(v) The United States where the Department determines that the
litigation is likely to affect the Department or any of its components.
(b) Disclosure to DOJ. If the Department determines that disclosure
of certain records to DOJ, or attorneys engaged by DOJ, is relevant and
necessary to litigation or ADR, and is compatible with the purpose for
which the records were collected, the Department may disclose those
records as a routine use to DOJ.
(c) Adjudicative Disclosure. If the Department determines that
disclosure of certain records to an adjudicative body before which the
Department is authorized to appear, individual, or
[[Page 68575]]
entity designated by the Department or otherwise empowered to resolve
or mediate disputes is relevant and necessary to litigation or ADR, and
is compatible with the purpose for which the records were collected,
the Department may disclose those records as a routine use to the
adjudicative body, individual, or entity.
(d) Disclosure to Parties, Counsel, Representatives, and Witnesses.
If the Department determines that disclosure of certain records to a
party, counsel, representative, or witness is relevant and necessary to
litigation or ADR, and is compatible with the purpose for which the
records were collected, the Department may disclose those records as a
routine use to a party, counsel, representative, or witness.
(7) Congressional Member Disclosure. The Department may disclose
information from a record of an individual to a member of Congress and
his or her staff in response to an inquiry from the member made at the
written request of that individual. The member's right to the
information is no greater than the right of the individual who
requested it.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
Not applicable to this system notice.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
The Data Center of the Department's contractor, EDS, stores
computerized student records on server hardware and MSIX backup tapes,
including MSIX Help Desk tapes, in locked file cabinets.
RETRIEVABILITY:
Records in this system are indexed by a unique number, assigned to
each individual, that is cross-referenced by the individual's name.
SAFEGUARDS:
(1) Introduction
Security personnel control and monitor all physical access to the
site of the Department's contractor and subcontractors, where this
system of records is maintained. The computer system employed by the
Department offers a high degree of resistance to tampering and
circumvention. This computer system limits data access to Department
and contract staff on a ``need to know'' basis, and controls individual
users' ability to access and alter records within the system by
granting user names and passwords, and assigning user roles to
individuals that restrict access based on user category (e.g., district
administrator, counselor, state administrator).
The contractor has established a set of procedures to ensure
confidentiality of data, and will maintain the security of the complete
set of all master data files and documentation. The contractor and
subcontractor employees who collect, maintain, use, or disseminate data
in this system, must comply with the requirements of the Privacy Act.
(2) Physical Security of Electronic Data
Physical security of electronic data will be maintained. The MSIX
infrastructure is housed in a secured data center, access to which is
controlled by multiple access controls. These access controls include a
combination of personal photo identification/card scans, biometric hand
scanning, and personal access codes. These access controls also include
man-traps and physical barricades that limit access to the data center
floor and machine rooms. Further, all entrances, exits, and key points
throughout the facility are monitored in real-time via closed circuit
television (CCTV) 24 hours per day. All CCTV is recorded and stored on
tape for audit purposes. These access control mechanisms are centrally
managed by resources within the data center, which is staffed 24 hours
per day.
Security personnel are required to inspect picture identification
and have visitors sign in before granting access to the facility.
Visitors are pre-authorized and registered in a database at least 24
hours prior to their arrival, and are required to provide picture
identification that matches the name given previously to the data
center. All personnel are required to display an identification badge
or an authorized visitor badge at all times while on the premises; and
all packages brought into the data center are subject to inspection.
Backup tapes are employed, and numerous mechanisms protect the
physical security of these backup tapes. First, in the event of a
disaster recovery situation, MSIX backup tapes will be transferred in
locking containers. Contractor and subcontractor employees holding
Department of Defense (DoD) Secret or Interim Secret clearances will
ship the tapes from the EDS Data Center to the Navasite Data Center,
the disaster recovery site. Thus, the MSIX system can be restored in
the event of a disaster at the Navasite Data Center. Second, the backup
tapes are stored in a tape library within the EDS Data Center and are
only available to authorized personnel. Access to the backup tapes is
limited through the use of biometric access control mechanisms. Third,
the backup tapes are stored in fireproof safes.
(c) User Access to Electronic Data
MSIX incorporates a series of security controls mandated by the
Federal Information Security Management Act of 2002 (FISMA) and the
Department. MSIX leverages role-based accounts and security controls to
limit access to the application, its servers, and its infrastructure to
authorized users. All MSIX users must follow a registration process
that involves identity validation and verification prior to gaining
access to MSIX. Once validated and approved, MSIX User Administrators
will grant access to authorized users by creating their MSIX accounts
and assigning the appropriate MSIX roles. MSIX requires users to use
strong passwords, comprised of alphanumeric and special characters, and
uses Oracle's Internet Directory (OID) application to manage its user
accounts. OID stores the name of each MSIX user, each MSIX user's
associated roles and access privileges, and each MSIX user's passwords
using an encrypted format. The MSIX application is only available to
authorized users via a Uniform Resource Locator (URL) that runs under
the Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). No
user may alter records in this system of records except to identify and
assign a student a unique student identifier through the record
matching process. Further, MSIX limits data submissions from State
systems to specific Internet Protocol addresses and requires the use of
Secure File Transfer Protocol.
(d) Additional Security Measures
The MSIX infrastructure also leverages a series of firewalls to
limit internal access to specific protocols and ports, as well as
intrusion detection systems to help identify unauthorized access to
MSIX. MSIX logs and tracks login attempts, data modifications, and
other key application and system events. The MSIX operations and
maintenance team monitors these logs on a regular basis. Further, the
MSIX operations and maintenance team performs vulnerability scans on a
routine basis, monitors the U.S. Computer Emergency Response Team
(CERT) bulletins (see http://www.us-cert.gov/ for more details), and
applies routine operating system and vendor patches as appropriate.
Retention and Disposal:
Records are maintained and disposed of in accordance with the
Department's Records Disposition Schedules as listed under ED 231--
Public and Restricted Use Data Files--Studies.
[[Page 68576]]
System Manager and Address:
Director, Office of Migrant Education, U.S. Department of
Education, 400 Maryland Avenue, SW., room 3E317, Washington, DC 20202-
0001.
Notification Procedure:
If you wish to determine whether a record exists regarding you in
the system of records, contact the system manager at the address listed
under, SYSTEM MANAGER AND ADDRESS. Your request must meet the
requirements of regulations in 34 CFR 5b.5, including proof of
identity.
Record Access Procedure:
If you wish to gain access to your record in the system of records,
contact the system manager at the address listed under SYSTEM MANAGER
AND ADDRESS. Your request must meet the requirements of regulations in
34 CFR 5b.5, including proof of identity.
Contesting Record Procedure:
If you wish to contest the content of a record regarding you in the
system of records, contact the system manager at the address listed
under, SYSTEM MANAGER AND ADDRESS. Your request must meet the
requirements of regulations in 34 CFR 5b.7, including proof of
identity.
Record Source Categories:
The system will contain records that are obtained from SEAs and
LEAs.
Exemptions Claimed for the System:
None.
[FR Doc. E7-23541 Filed 12-4-07; 8:45 am]
BILLING CODE 4000-01-P