How CEPI Protects Education Data
The Center for Educational Performance and Information (CEPI), a division of the State Budget Office in the Department of Technology, Management & Budget (DTMB), was established under state law to coordinate efficient, secure and accurate education data collection. CEPI understands the value and necessity of providing education data to policymakers, parents, students and citizens of this state.
CEPI is committed to protecting confidential education records, and to transparency when it comes to data collection, storage and disclosure. Our data security protocols follow strict State of Michigan standards and best practices. Our rigorous privacy policies and procedures meet or exceed data sharing guidelines of the Family Educational Rights and Privacy Act (FERPA).
The U. S. Department of Education’s Privacy Technical Assistance Center (PTAC) explains FERPA rights for families as well as the responsibilities of institutions that hold student records. In addition, the Family Policy Compliance Office (FPCO) provides guidance and resources for parents, students and school officials on FERPA and the Protection of Pupil Rights Amendment.
CEPI collects education data from Michigan’s early childhood, preschool, elementary, secondary, and postsecondary schools and institutions using encrypted, web-based data collection applications maintained in cooperation with DTMB. CEPI only collects data when required by federal and/or state law, or through mutual agreement with educational entities.
Only authorized, authenticated users can submit data to CEPI. Some of the data we collect for different sectors include:
- Student demographics, enrollment, program participation and outcomes
- Personnel and staffing information
- School safety practices and incidents of crime
- School directory information
- School expenditures and revenues
Data are collected for purposes such as:
- School funding
- Accountability and compliance with state and federal laws
- To inform education policies and practices, leading to improved student outcomes
- State and federal reporting
CEPI does not collect data on beliefs or practices on issues such as sex, family life, morality or religion. Nor do we collect political, voting, family financial, biometric or medical/psychological records.
Please see How Your Data Are Used for additional information, including matrices listing individual data elements and how those elements support federal and state reporting requirements. MDE’s Evaluation and Strategic Research web page talks about how the data are used to evaluate and improve Michigan education policies.
Data are stored at a secure state facility in Lansing with disaster recovery and off-site backup. Data storage systems are automatically encrypted with secure socket layering, and the State conducts biannual reviews of internal IT system controls.
Anyone who requires access to the stored data must complete and sign a security form, agreeing to comply with FERPA and all related privacy laws. Access is role-based and authenticated by agency leaders. The State actively monitors access lists and logs.
- Authorized FERPA- and security-trained CEPI, DTMB and contracted IT personnel whose job duties require access.
- Authorized MDE personnel conducting program audits or evaluation studies (limited access).
Data from different collections are connected in the Michigan Statewide Longitudinal Data System (MSLDS). The MSLDS lets us connect data in powerful ways—grade to grade, school to school, level to level. It lets us connect data like school finance, test scores, teacher preparation, gender and ethnicity, graduation rates, college enrollment, special education and gifted programs, and more. These connections help ensure Michigan’s public education system is meeting the needs of all students.
State of Michigan protocols prevent loss, theft, vandalism, illegal access and data corruption. For more information, please see Michigan’s Administrative Guide to State Government. In particular, see Section 900 - Preservation (document retention and disposal) and Section 1300 - Information Standards and Planning (information technology and security).
Privacy laws and CEPI’s Data Privacy and Security Policy guide whether, with whom, and how CEPI discloses education data. All recipients must follow FERPA and related laws.
A Stoplight for Student Data Use summarizes the main provisions of FERPA and related regulations, including when a student’s personally identifiable information may be securely shared under the law. CEPI has also posted a list of Frequently Asked Questions about our Privacy and Security Practices.
Data are disclosed, under certain circumstances and following strict guidelines, to the following groups:
Public: The MI School Data portal offers education data to the public in aggregate form only, and uses techniques like cell suppression for small groups to protect individual-level information.
Educators: MI School Data offers a secure login for school administrators and teachers to access their school’s individual-level, non-suppressed data. Authorized users agree to comply with FERPA and all related privacy laws, as well as certifying their compliance with CEPI Secure Report Use Policies. The system uses login timeouts and password expirations to help protect access.
Other State Agencies: CEPI has established formal data sharing agreements with state agencies such as MDE that require access to these data. The agreements include breach procedures and liability clauses, and all parties agree to follow all laws governing the data. Records are encrypted and, where appropriate, de-identified. The data are limited to what is required for an evaluation or audit of an education program.
Lawmakers: CEPI provides federal and state required reports to lawmakers. We also fill ad hoc data requests from legislators. These reports and requests use aggregate data only.
Researchers: Data are shared with researchers only for the purpose of improving outcomes for Michigan students. A designated Internal Review Board rigorously reviews all requests and monitors the process. Researchers receive de-identified data, and must follow strict data storage, usage, reporting and disposal rules. MDE’s Evaluation and Strategic Research web page details policies and procedures for researchers seeking data.
CEPI has clearly assigned responsibilities for oversight, implementation and monitoring of policies and processes that ensure data are only used or disclosed for proper purposes.
CEPI’s Chief Privacy Officer oversees all privacy and security policies and practices, conducts FERPA and related privacy law training for staff, and ensures that everyone with access to data understands the legal and ethical obligations to safeguard education records.
CEPI’s Governance & Partner Groups provide expertise and advice on data collection, connection, maintenance and security.
The P-20 Longitudinal Data System Advisory Council helps define how CEPI collects, connects and publishes education data in a way that helps ensure privacy and protects the confidentiality of the data.