[Federal Register Volume 84, Number 132 (Wednesday, July 10, 2019)]
[Notices]
[Pages 32895-32899]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14686]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
[Docket ID ED-2018-OESE-0088]
Privacy Act of 1974; System of Records--Migrant Student
Information Exchange
AGENCY: Office of Elementary and Secondary Education, Department of
Education.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended
(Privacy Act), the Department of Education (Department) publishes this
notice of a modified system of records entitled ``Migrant Student
Information Exchange (MSIX)'' (18-14-04) to modify this system of
records notice, which was last published in the Federal Register on
December 5, 2007.
DATES: Submit your comments on this modified system of records notice
on or before August 9, 2019.
This modified system of records notice will become applicable upon
publication in the Federal Register on July 10, 2019. Modified routine
uses (1), (2), (3), (5), and (6) and new routine use (8) listed under
``ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND PURPOSES OF SUCH USES'' will become applicable
on August 9, 2019, unless the modified system of records notice needs
to be changed as a result of public comment. The Department will
publish any significant changes resulting from public comment.
ADDRESSES: Submit your comments through the Federal eRulemaking Portal
or via postal mail, commercial delivery, or hand delivery. We will not
accept comments submitted by fax or by email or those submitted after
the comment period. To ensure that we do not receive duplicate copies,
please submit your comments only once. In addition, please include the
Docket ID at the top of your comments.
Federal eRulemaking Portal: Go to www.regulations.gov to
submit your comments electronically. Information on using
Regulations.gov, including instructions for accessing agency documents,
submitting comments, and viewing the docket, is available on the site
under the ``help'' tab.
Postal Mail, Commercial Delivery, or Hand Delivery: If you
mail or deliver your comments about this modified system of records,
address them to: Lisa C. Gillette, Director, Office of Migrant
Education, Office of Elementary and Secondary Education, U.S.
Department
[[Page 32896]]
of Education, 400 Maryland Avenue SW, Washington, DC 20202-0001.
Privacy Note: The Department's policy is to make all comments
received from members of the public available for public viewing in
their entirety on the Federal eRulemaking Portal at
www.regulations.gov. Therefore, commenters should be careful to include
in their comments only information that they wish to make publicly
available.
Assistance to Individuals with Disabilities in Reviewing the
Rulemaking Record: On request, we will supply an appropriate
accommodation or auxiliary aid to an individual with a disability who
needs assistance to review the comments or other documents in the
public rulemaking record for this notice. If you want to schedule an
appointment for this type of accommodation or auxiliary aid, please
contact the person listed under FOR FURTHER INFORMATION CONTACT.
FOR FURTHER INFORMATION CONTACT: Lisa C. Gillette, Director, Office of
Migrant Education, Office of Elementary and Secondary Education, U.S.
Department of Education, 400 Maryland Avenue SW, 3E317, Washington, DC
20202-6135. Telephone: (202) 260-1164.
If you use a telecommunications device for the deaf (TDD) or text
telephone (TTY), you may call the Federal Information Relay Service
(FIRS), toll free, at 1-800-877-8339.
SUPPLEMENTARY INFORMATION: The MSIX system of records helps meet the
needs of migratory children by improving the timeliness of the
availability of current educational and health information on migratory
children to school and program staff where migratory children enroll
after moving. MSIX uses the Minimum Data Elements (MDEs) to provide a
standard format for information that States must collect and maintain.
MSIX allows State educational agencies (SEAs) to upload the required
MDEs from their own existing State student record systems into a single
national data repository where information on each migratory child is
maintained, organized, and compiled. As a web-based platform, MSIX
allows authorized users to access a migratory child's MSIX record via a
web browser. Section 1308(b)(2) of the Elementary and Secondary
Education Act of 1965, as amended (ESEA) (20 U.S.C. 6398(b)(2))
requires the Secretary of Education to ensure the linkage of migratory
student record systems for the purpose of electronically exchanging,
among the States, health and educational information regarding all
migratory students.
As described more fully below, this notice will update the
following sections: Security Classification; System Location; Authority
for Maintenance of the System; Purpose(s) of the System; Categories of
Records in the System; Record Source Categories; Policies and Practices
for Storage of Records; Policies and Practices for Retrieval of
Records; Policies and Practices for Retention and Disposal of Records;
Administrative, Technical, and Physical Safeguards; Record Access
Procedures; and Notification Procedures. This modified system of
records notice will update routine uses (1), (2), (3), and (6), and,
pursuant to the requirements in Office of Management and Budget (OMB)
Memorandum 17-12, it will also update routine use (5) and add new
routine use (8). Pursuant to the requirements of OMB Circular No. A-
108, a new section entitled ``History'' also has been added to the
notice.
Introduction: The Department previously published the MSIX system
of records notice in the Federal Register on December 5, 2007 (72 FR
68572-76). This notice will update the following sections: Security
Classification; System Location; Authority for Maintenance of the
System; Purpose(s) of the System; Categories of Records in the System;
Record Source Categories; Routine Uses of Records Maintained in the
System, Including Categories of Users and Purposes of Such Uses;
Policies and Practices for Storage of Records; Policies and Practices
for Retrieval of Records; Policies and Practices for Retention and
Disposal of Records; Administrative, Technical, and Physical
Safeguards; Record Access Procedures; and Notification Procedures.
Pursuant to OMB Circular No. A-108, the section entitled ``SECURITY
CLASSIFICATION'' is updated from ``none'' to ``unclassified.''
The Department is updating the section entitled ``SYSTEM LOCATION''
to list the names and addresses of the current Department contractor
and subcontractor that maintain MSIX records.
The Department is updating the section entitled ``AUTHORITY FOR
MAINTENANCE OF THE SYSTEM'' to update the reference to the current
legal authority.
The Department is updating the section entitled ``PURPOSE(S) OF THE
SYSTEM'' to reflect the current, rather than anticipated, use and
benefits of the system. While the purpose of reducing unnecessary
immunizations is still a goal of the Migrant Education Program (MEP),
MSIX does not track or record incidences of unnecessary immunizations.
The Department is updating the section entitled ``CATEGORIES OF
RECORDS IN THE SYSTEM'' to update the reference to the Paperwork
Reduction Act (PRA) clearance request in the Federal Register which
lists the minimum data elements included in MSIX.
The Department is updating the section entitled ``RECORD SOURCE
CATEGORIES'' to add Migrant Education Program (MEP) local operating
agencies (LOAs), in addition to local educational agencies (LEAs). LOAs
were added to the record source categories to be inclusive of service
delivery organizations that are operating in the MEP participating
States. SEAs submit data to MSIX using data sourced from LEAs and/or
LOAs, depending on the service delivery model used by the SEA. The
Department also is adding parents, guardians, and migratory children to
the section of the notice on record source categories to more closely
adhere to OMB guidance on the Privacy Act and to reflect that LEAs,
LOAs, and SEAs obtain some records directly from parents and migratory
children.
This modified system of records notice will also update routine
uses (1), (2), (3), (5), and (6) and add new routine use (8).
The Department is modifying routine use (1), which was formerly
entitled ``MEP Services, School Enrollment, Grade or Course Placement,
Accrual of High School Credits, Student Record Match Resolution,'' to
include ``data correction by parents, guardians, and migratory
children'' as a reason for disclosure to authorized representatives of
SEAs, LEAs, or other MEP LOAs.
The Department is modifying routine use (2) entitled ``Contract
Disclosure'' and routine use (3) entitled ``Research Disclosure'' to
remove language that respectively referenced safeguard requirements
under subsection (m) of the Privacy Act and Privacy Act safeguards. The
Department revised the language in routine use (2) to permit the
Department to disclose records from this system of records to employees
of Department contractors, whether or not the contractors are covered
by subsection (m) of the Privacy Act, so long as the contractors are
performing a Departmental function that requires disclosing records to
them and they agree to establish and maintain safeguards that will
protect the security and confidentiality of the disclosed records. The
Department also revised the language in routine uses (2) and (3)
because the prior language referring to required safeguards under the
Privacy Act and Privacy Act safeguards was unclear about what
safeguards were
[[Page 32897]]
required and therefore to clarify that contractors and researchers to
whom disclosures are made under these routine uses will be required to
agree to establish and maintain safeguards to protect the security and
confidentiality of the disclosed records. The Department also revised
routine use (2) to remove language that had referred to requiring these
safeguards to be maintained before the contract was entered into and
instead to indicate that the agreement on such safeguards will be
reached as part of any such contract.
Pursuant to the requirements in OMB M-17-12, the Department is
modifying routine use (5) entitled ``Disclosure in the Course of
Responding to a Breach of Data'' and adding routine use (8) entitled
``Disclosure in Assisting another Agency in Responding to a Breach of
Data'' in order to comply with the requirements in OMB M-17-12.
Pursuant to this new routine use, the Department may disclose records
from this system to another Federal agency or Federal entity, when the
Department determines that information from this system of records is
reasonably necessary to assist the recipient agency or entity in (a)
responding to a suspected or confirmed breach or (b) preventing,
minimizing, or remedying the risk of harm to individuals, the recipient
agency or entity (including its information systems, programs, and
operations), the Federal Government, or national security, resulting
from a suspected or confirmed breach.
The Department is modifying routine use (6) entitled ``Litigation
or Alternative Dispute Resolution (ADR) Disclosure'' to replace the
word ``individual,'' which is a defined word under the Privacy Act,
with the word ``person'' to avoid public confusion.
The Department is updating the section entitled ``POLICIES AND
PRACTICES FOR STORAGE OF RECORDS'' to remove references to hardware
stored in locked file cabinets and describe electronic records storage.
The Department is also updating the section entitled ``POLICIES AND
PRACTICES FOR RETRIEVAL OF RECORDS'' to explain that MSIX users
retrieve records by an individual's name, in addition to the unique
identifier assigned to each individual.
The Department is updating the section entitled ``POLICIES AND
PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS'' to reflect the most
recent Department records schedule, and applicable disposition
instruction, which governed the retention and disposition of the
records; and, to explain that said records schedule disposition
instruction is being superseded, pending approval by the National
Archives and Records Administration (NARA), by a new records schedule
submitted by the Department to NARA.
The Department is updating the section entitled ``ADMINISTRATIVE,
TECHNICAL, AND PHYSICAL SAFEGUARDS'' to reflect changes in technical
and physical safeguards offered by the cloud service provider.
The Department is also updating the sections entitled ``RECORD
ACCESS PROCEDURES'' and ``NOTIFICATION PROCEDURES'' to specify the
necessary particulars that the system manager must be provided in
connection with a records access or notification request in order to
distinguish between the records of individuals with the same names.
Pursuant to the requirements of OMB Circular No. A-108, the
Department is also adding a new section to the notice that is entitled
``HISTORY.''
Accessible Format: Individuals with disabilities can obtain this
document in an accessible format (e.g., braille, large print,
audiotape, or compact disc) on request to the person listed under FOR
FURTHER INFORMATION CONTACT.
Electronic Access to This Document: The official version of this
document is the document published in the Federal Register. Free
internet access to the official edition of the Federal Register and the
CFR is available via the Federal Digital System at: www.gpo.gov/fdsys.
At this site you can view this document, as well as all other documents
of the Department published in the Federal Register, in text or
Portable Document Format (PDF). To use PDF you must have Adobe Acrobat
Reader, which is available free at the site.
You may also access documents of the Department published in the
Federal Register by using the article search feature at:
www.federalregister.gov. Specifically, through the advanced search
feature at this site, you can limit your search to documents published
by the Department.
Dated: July 5, 2019.
Frank T. Brogan,
Assistant Secretary for Elementary and Secondary Education.
For the reasons discussed in the preamble, the Assistant Secretary
of the Office of Elementary and Secondary Education of the U.S.
Department of Education (Department) publishes a notice of a modified
system of records to read as follows:
SYSTEM NAME AND NUMBER
Migrant Student Information Exchange (MSIX) (18-14-04).
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
(1) U.S. Department of Education, Office of Migrant Education,
Office of Elementary and Secondary Education, 400 Maryland Avenue SW,
Washington, DC 20202-6135.
(2a) Deloitte Consulting LLC, 1919 North Lynn Street, Arlington, VA
22209-1743 (contractor) (Software development/programming and
operations/maintenance).
(2b) Amazon Web Services (AWS) US-EAST/US-WEST 12900 Worldgate
Drive, Herndon, VA 20170-6039 (subcontractor).
SYSTEM MANAGER(S):
Director, Office of Migrant Education, Office of Elementary and
Secondary Education, U.S. Department of Education, 400 Maryland Avenue
SW, Room 3E317, Washington, DC 20202-0001.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
MSIX is authorized under section 1308(b)(2) of the Elementary and
Secondary Education Act of 1965, as amended (ESEA), 20 U.S.C.
6398(b)(2).
PURPOSE(S) OF THE SYSTEM:
The purpose of MSIX is to enhance the continuity of educational and
health services for migratory children by providing a mechanism for all
States to exchange educational and health-related information on
migratory children who move from State to State due to their migratory
lifestyle. MSIX helps to improve the timeliness of school enrollments,
the appropriateness of grade and course placements, and participation
in the Migrant Education Program (MEP) for migratory children. Further,
MSIX facilitates the accrual of course credits for migratory children
in secondary school by providing accurate academic information on the
students' course history and academic progress.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system contains records on all children whom States have
determined to be eligible to participate in the MEP, authorized in
Title I, Part C of the ESEA.
CATEGORIES OF RECORDS IN THE SYSTEM:
The categories of records in the system include the migratory
child's: Name, date of birth, personal identification numbers assigned
by the States and the Department, parent's or parents' name or names,
school enrollment data, school contact data, assessment data, and other
educational and health data necessary for accurate
[[Page 32898]]
and timely school enrollment, grade and course placement, and accrual
of course credits. The final request for public comment on the minimum
data elements (MDEs) to be included in MSIX was published, pursuant to
the Paperwork Reduction Act of 1995 clearance process, in the Federal
Register on May 25, 2016 (81 FR 33246).
RECORD SOURCE CATEGORIES:
The system contains records that are obtained from parents,
guardians, migratory children, State educational agencies (SEAs), local
educational agencies (LEAs), and local operating agencies (LOAs).
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
The Department may disclose information contained in a record in
this system of records, under the routine uses listed in this system of
records, without the consent of the individual if the disclosure is
compatible with the purposes for which the record was collected. The
Department may make these disclosures on a case-by-case basis or, if
the Department has complied with the computer matching requirements of
the Privacy Act of 1974, as amended (Privacy Act), under a computer
matching agreement.
(1) MEP Services, School Enrollment, Grade or Course Placement,
Accrual of High School Credits, Student Record Match Resolution, and
Data Correction Disclosure. The Department may disclose a record in
this system of records to authorized representatives of SEAs, LEAs, or
other MEP LOAs to facilitate one or more of the following for a
student: (a) Participation in the MEP, (b) enrollment in school, (c)
grade or course placement, (d) credit accrual, (e) unique student match
resolution, and (f) data correction by parents, guardians, and
migratory children.
(2) Contract Disclosure. If the Department contracts with an entity
for the purposes of performing any function that requires disclosure of
records in this system to employees of the contractor, the Department
may disclose the records to those employees who have received the
appropriate level security clearance from the Department. As part of
such a contract, the Department will require the contractor to agree to
establish and maintain safeguards to protect the security and
confidentiality of the disclosed records.
(3) Research Disclosure. The Department may disclose records from
this system to a researcher if an appropriate official of the
Department determines that the individual or organization to which the
disclosure would be made is qualified to carry out specific research
related to functions or purposes of this system of records. The
official may disclose information from this system of records to that
researcher solely for the purpose of carrying out that research related
to the functions or purposes of this system of records. The researcher
will be required to agree to establish and maintain safeguards to
protect the security and confidentiality of the disclosed records.
(4) Freedom of Information Act (FOIA) or Privacy Act Advice
Disclosure. The Department may disclose records to the U.S. Department
of Justice (DOJ) or the Office of Management and Budget (OMB) if the
Department concludes that disclosure is desirable or necessary to
determine whether particular records are required to be disclosed under
the FOIA or the Privacy Act.
(5) Disclosure in the Course of Responding to a Breach of Data. The
Department may disclose records from this system to appropriate
agencies, entities, and persons when (a) the Department suspects or has
confirmed that there has been a breach of the system of records; (b)
the Department has determined that as a result of the suspected or
confirmed breach, there is a risk of harm to individuals, the
Department (including its information systems, programs, and
operations), the Federal Government, or national security; and, (c) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with the Department's efforts in
responding to respond to the suspected or confirmed breach or to
prevent, minimize, or remedy such harm.
(6) Litigation or Alternative Dispute Resolution (ADR) Disclosure.
(a) Introduction. In the event that one of the following parties is
involved in litigation or ADR, or has an interest in litigation or ADR,
the Department may disclose certain records to the parties described in
paragraphs b, c, and d of this routine use under the conditions
specified in those paragraphs:
(i) The Department or any of its components.
(ii) Any Department employee in his or her official capacity.
(iii) Any employee of the Department in his or her individual
capacity where DOJ has agreed to or has been requested to provide or
arrange for representation of the employee.
(iv) Any employee of the Department in his or her individual
capacity where the Department has agreed to represent the employee.
(v) The United States where the Department determines that the
litigation is likely to affect the Department or any of its components.
(b) Disclosure to DOJ. If the Department determines that disclosure
of certain records to DOJ, or attorneys engaged by DOJ, is relevant and
necessary to litigation or ADR, and is compatible with the purpose for
which the records were collected, the Department may disclose those
records as a routine use to DOJ.
(c) Adjudicative Disclosure. If the Department determines that
disclosure of certain records to an adjudicative body before which the
Department is authorized to appear or to a person or entity designated
by the Department or otherwise empowered to resolve or mediate disputes
is relevant and necessary to litigation or ADR, and is compatible with
the purpose for which the records were collected, the Department may
disclose those records as a routine use to the adjudicative body,
person, or entity.
(d) Disclosure to Parties, Counsel, Representatives, and Witnesses.
If the Department determines that disclosure of certain records to a
party, counsel, representative, or witness is relevant and necessary to
litigation or ADR, and is compatible with the purpose for which the
records were collected, the Department may disclose those records as a
routine use to a party, counsel, representative, or witness.
(7) Congressional Member Disclosure. The Department may disclose
information from a record of an individual to a member of Congress and
his or her staff in response to an inquiry from the member made at the
written request of that individual. The member's right to the
information is no greater than the right of the individual who
requested it.
(8) Disclosure in Assisting another Agency in Responding to a
Breach of Data. The Department may disclose records from this system to
another Federal agency or Federal entity, when the Department
determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (a) responding to
a suspected or confirmed breach or (b) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs, and operations),
the Federal Government, or national security, resulting from a
suspected or confirmed breach.
[[Page 32899]]
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
The cloud service provider, Amazon Web Services (AWS), through a
subcontract with the Department, stores computerized student records,
including backups, on virtual servers. Physical security of electronic
data is maintained in compliance with the Federal Information Security
Modernization Act of 2014 (FISMA) and National Institute of Standards
and Technology (NIST) standards.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records in this system are retrieved by name and by the unique
identifier assigned to each individual.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
All records were previously retained and disposed of in accordance
with Department Records Schedule 066: Program Management Files (N1-441-
10-1) (ED 066), Item (a)(3). ED 066, Item (a)(3), is being superseded,
pending approval by the National Archives and Records Administration
(NARA), by a new records schedule submitted by the Department to NARA
entitled, ``Migrant Student Information Exchange (MSIX) Electronic
Information System Records.'' The Department will not destroy the
aforementioned records until such time as said new, NARA-approved
schedule is in effect, as applicable.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
(1) Introduction. Security personnel control and monitor all
physical access to the site of the Department's subcontractor, where
this system of records is maintained. The computer system employed by
the Department offers a high degree of resistance to tampering and
circumvention. This computer system limits data access to Department
and contract staff on a ``need to know'' basis, and controls individual
users' ability to access and alter records within the system by
granting user names and passwords, and assigning user roles.
(2) Physical Security of Electronic Data. The MSIX infrastructure
is housed in a cloud service provider with provisional authorization
from the Federal Risk and Authorization Management Program (FedRAMP)
Joint Authorization Board (JAB) under the Moderate control baseline.
All controls managed by the cloud service provider, including physical
security of electronic data, are reviewed by a third party assessment
organization (3PAO) in accordance with FedRAMP guidance.
(3) User Access to Electronic Data. MSIX leverages role-based
accounts and security controls to limit access to the application, its
servers, and its infrastructure to authorized users in accordance with
the Federal Information Security Modernization Act (FISMA) of 2014 and
the Department Office of Chief Information Officer (OCIO) directives,
policies, standards and procedures. All MSIX users must follow a
registration process that involves identity validation and verification
prior to gaining access to MSIX. MSIX utilizes unique user identifiers
(user IDs) and authenticators (strong passwords). Directory information
for all authorized users is stored in the system. Directory information
maintained in MSIX includes username, full name, work contact
information, and login credentials needed to maintain user accounts.
The MSIX application is only available to authorized users via a
Uniform Resource Locator (URL) that runs under the Hypertext Transfer
Protocol over Secure Socket Layer (HTTPS).
(4) Additional Security Measures. The MSIX infrastructure also
leverages firewalls and intrusion detection systems to limit internal
access and identify unauthorized access to the system. MSIX logs,
monitors, and controls network communications and systems actions.
System components are logically separated from internal organizational
networks and connect to external networks through managed interfaces.
Further, the MSIX operations include conducting vulnerability scans,
monitoring the U.S. Computer Emergency Response Team (CERT) bulletins,
and applying routine operating system and vendor patches as
appropriate.
RECORD ACCESS PROCEDURES:
If you wish to gain access to your record in the system of records,
you must contact the system manager at the address listed under SYSTEM
MANAGER(S). You must provide necessary particulars such as your name,
date of birth, and any other identifying information requested by the
Department while processing the request to distinguish between
individuals with the same name. Your request must meet the requirements
of regulations in 34 CFR 5b.5, including proof of identity.
CONTESTING RECORD PROCEDURES:
If you wish to contest or change the content of a record regarding
you in the system of records, contact the system manager at the address
listed under SYSTEM MANAGER(S). Your request must meet the requirements
of regulations in 34 CFR 5b.7.
NOTIFICATION PROCEDURES:
If you wish to determine whether a record exists regarding you in
the system of records, you must contact the system manager at the
address listed under SYSTEM MANAGER(S). You must provide necessary
particulars such as your name, date of birth, and any other identifying
information requested by the Department while processing the request to
distinguish between individuals with the same name. Your request must
meet the requirements of regulations in 34 CFR 5b.5, including proof of
identity.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
The system of records was originally published in the Federal
Register on December 5, 2007 (72 FR 68572-68576).
[FR Doc. 2019-14686 Filed 7-9-19; 8:45 am]
BILLING CODE 4000-01-P