Privacy and Security in the VLDS

1
Privacy and Security in the VLDS
2
Commonwealth Security Benefits (Intended)

• Confidence in the integrity of the data and the
  systems processes
• Assistance in compliance with laws and regulation
  involving confidentiality
• A secure environment in which to perform business
  activities of the Commonwealth
• Identification and protection of key business
  functions and services in the event of disaster
• Monitoring for intrusions and Network "attacks"
  on Commonwealth systems

3
SEC 501-01 The Commonwealths IS Security
Standard Chapters

• Risk Management
• IT Contingency Planning
• Information Systems Security
• Logical Access Control
• Data Protection
• Facilities Security
• Personnel Security
• Threat Management
• IT Asset Management

4
Government Data Collection and Dissemination
Practices Act (selected items)

• 2.2-3803. Administration of systems including
  personal information Internet privacy policy
  exceptions.
• A. Any agency maintaining an information system
  that includes personal information shall
• 1. Collect, maintain, use, and disseminate only
  that personal information permitted or required
  by law to be so collected, maintained, used, or
  disseminated, or necessary to accomplish a proper
  purpose of the agency
• 5. Make no dissemination to another system
  without (i) specifying requirements for security
  and usage including limitations on access
  thereto, and (ii) receiving reasonable assurances
  that those requirements and limitations will be
  observed. 
• 6. Maintain a list of all persons or
  organizations having regular access to personal
  information in the information system
• 7. Maintain for a period of three years or until
  such time as the personal information is purged,
  whichever is shorter, a complete and accurate
  record, including identity and purpose, of every
  access to any personal information in a system,
  including the identity of any persons or
  organizations not having regular access authority
  but excluding access by the personnel of the
  agency wherein data is put to service for the
  purpose for which it is obtained
• 8. Take affirmative action to establish rules of
  conduct and inform each person involved in the
  design, development, operation, or maintenance of
  the system, or the collection or use of any
  personal information contained therein, about all
  the requirements of this chapter, the rules and
  procedures, including penalties for
  noncompliance, of the agency designed to assure
  compliance with such requirements

5
Government Data Collection and Dissemination
Practices Act

• 2.2-3805. Dissemination of reports
• Any agency maintaining an information system that
  disseminates statistical reports or research
  findings based on personal information drawn from
  its system, or from other systems shall
• 1. Make available to any data subject or group,
  without revealing trade secrets, methodology and
  materials necessary to validate statistical
  analysis, and
• 2. Make no materials available for independent
  analysis without guarantees that no personal
  information will be used in any way that might
  prejudice judgments about any data subject.
• 2.2-3806. Rights of data subjects.
• 2. Give notice to a data subject of the possible
  dissemination of part or all of this information
  to another agency, nongovernmental organization
  or system not having regular access authority,
  and indicate the use for which it is intended,
  and the specific consequences for the individual,
  which are known to the agency, of providing or
  not providing the information. 

6
Family Educational Rights and Privacy Act(2008
Amendments to Regulations)

• State Consolidated Education Data Systems
• the Department has been working closely with
  SEAs to establish or upgrade State data systems
  in order to manage information generated by
  assessments, and use the data to improve student
  academic achievement and close achievement gaps.
  Changes to 99.35(b) make it possible for SEAs
  and other State educational authorities to
  implement K-16 accountability systems by
  redisclosing personally identifiable student
  information on behalf of LEAs and postsecondary
  institutions provided they have legal authority
  to audit or evaluate one another's education
  programs.
• Additionally, under FERPA, State educational
  authorities, such as SEAs and higher education
  commissions, may disclose education records in
  personally identifiable form, without consent, to
  contractors, consultants, and other parties to
  whom they have outsourced organizational services
  or functions, including evaluation of Federal or
  State supported education programs under 99.35,
  provided that the State educational authority has
  direct control over that outside party. 

7
Relevant SCHEV Language

•  23-9.61. Duties of Council generally.
• 9. Develop a uniform, comprehensive data
  information system designed to gather all
  information necessary to the performance of the
  Council's duties. The system shall include
  information on admissions, enrollments,
  self-identified students with documented
  disabilities, personnel, programs, financing,
  space inventory, facilities and such other areas
  as the Council deems appropriate. When consistent
  with the Government Data Collection and
  Dissemination Practices Act, the Virginia
  Unemployment Compensation Act, and applicable
  federal law, the Council, acting solely or in
  partnership with the Virginia Department of
  Education or the Virginia Employment Commission,
  may contract with private entities to create
  de-identified student records for the purpose of
  assessing the performance of institutions and
  specific programs relative to the workforce needs
  of the Commonwealth. For the purposes of this
  section, "de-identified student records" means
  records in which all personally identifiable
  information has been removed.

8
Component Overview
SLDS Portal
Reporting
Workflow
Data
Security
Shaker
Lexicon
Security
9
Data Request
10
Security Overview
Aggregated Data (Suppressed) Aggregated Data (Non- Suppressed) Unit Record Level Data Account Management Portal Components
Anonymous Anonymous
Named Named
Schools
Researchers
Agency Employees
System Admin
11
Security
Authentication

• Viewing

• Viewing

• Suppressed Data
• Non-Suppressed Data

Authorization

• Database
• Table
• Column

• Role Based
• Permission

• Viewing
• Editing

12
Reporting Record Level Linked Data
13
Lexicon Shaker Process
Common IDs deterministic or Common Elements
with appropriate Transforms, Matching Algorithms
and Thresholds probabilistic
Lexicon
User Interface/ Portal/ LogiXML
Shell Database
Query Building Process (Pre-Authorization)
Sample Data
Field Name Meta data
A 10101101010100110110
B 01010111001010010110
C 01101010100101010110
Field Name Meta data
A 10101101010100110110
B 01010111001010010110
N 01101010100101010110
Field Name Meta data
k 10101101010100110110
b 01010111001010010110
n 01101010100101010110
?
Workflow Manager
DS 1
Linking Control
A linking engine process will update the Lexicon
periodically to allow query building on known
available matched data fields. No data is used
in this process. Queries are built on the
relationships between data fields in the Lexicon.
DS 2
Data Access Control
Sub-Query Optimization
Hashed ID Matrix
DS 3
Authorized Query
Query Results
14
Merging UR Data on Hashed-IDs
Addl Data Sources
Possible Connection using Web Service creates
Web Services Data Source (Oracle) - enables
application and data integration by turning
external web service into an SQL data source,
making external Web services appear as regular
SQL tables. This table function represents the
output of calling external web services and can
be used in an SQL query.
Possible Connection using Homogeneous link
between Oracle DBs establish synonyms for
global names of remote objects in the
distributed system so that the Shaker can access
them with the same syntax as local objects
Possible Connection using Heterogeneous link
using available Transparent Gateway or Generic
ODBC/OLE
Sub-query processing priority will be determined
for each query to minimize unnecessary data
transfer (e.g. not downloading unmatched records
unless specifically requested) to optimize join
performance see Query Sub-Process Optimization
Matched Hash ID Values
15
Data Architecture
DS 1
DS 3
DS 2

1. Contains DBs for Shaker, Ad Hoc metadata,
   logging, auditing, etc.
2. Database for Shaker process and that temporarily
   stores linked record level data. The temporary
   tables will be dropped after a set period of
   time.
3. For canned reports, Stored Procedures will be
   used for data querying and suppression.

DS 1
ETL1
VITA (CESC)
Lexicon
Aggregate Linked Data
Shaker/ Deidentified Record Level Data2
Metadata and Security1
Shell DB
Workflow
SPs3
Aggregate Linked Reports
Record Level Query / Reports
Lexicon UI / Admin
Workflow
SLDS Portal
16
Security

• Authentication
• COV AUTH
• Authorization
• Role Based
• Anonymous User
• Named User
• System Administrator
• Agency Employee
• Researcher
• Permissions
• Workflow
• Reports (Suppressed and Non-Suppressed)
• Query Building Tool
• Lexicon
• Data elements
• User Account Management

• Data security enforced by/at .
• Portal
• Lexicon
• Viewing
• Editing
• Reports
• Suppressed Data
• Non-Suppressed Data
• Workflow
• Data
• Database
• Table
• Column

17
Questions?