Office of Elementary and Secondary Education, Department of Education.
Notice of a new system of records.
In accordance with the Privacy Act of 1974, as amended (Privacy Act), the Department of Education (Department) publishes this notice of a new system of records entitled “Migrant Student Information Exchange” (MSIX) (18-14-04).
MSIX will contain information on migrant students who participate in the Migrant Education Program (MEP) authorized under Title I, Part C of the Elementary and Secondary Education Act of 1965 (ESEA), as amended by the No Child Left Behind Act of 2001 (Pub. L. 107-110). Section 1308(b)(2) of ESEA (20 U.S.C. 6398(b)(2)) specifically Start Printed Page 68573authorizes the implementation of MSIX and its associated minimum data elements (MDEs). This statutory provision requires the Secretary to ensure the linkage of migrant student record systems for the purpose of electronically exchanging, among the States, health and educational information regarding all migratory students.
The Department seeks comment on the new system of records described in this notice, in accordance with the requirements of the Privacy Act. We must receive your comments on the proposed routine uses for the system of records described in this notice on or before January 4, 2008.
The Department filed a report describing the new system of records covered by this notice with the Chair of the Senate Committee on Homeland Security and Governmental Affairs, the Chair of the House Committee on Oversight and Government Reform, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on November 30, 2007. This system of records will become effective at the later date of—(1) the expiration of the 40-day period for OMB review on January 9, 2008 or (2) January 4, 2008, unless the system of records needs to be changed as a result of public comment or OMB review.
Address all comments about the proposed routine uses to Jennifer Dozier, Office of Elementary and Secondary Education, U.S. Department of Education, 400 Maryland Avenue, SW., room 3E327, Washington, DC 20202. Telephone: (202) 205-4421. If you prefer to send comments through the Internet, use the following address: firstname.lastname@example.org.
You must include the term “Migrant Student Information Exchange” in the subject line of the electronic message.
During and after the comment period, you may inspect comments about this notice in room 2W224, 400 Maryland Avenue, SW., Washington, DC, between the hours of 8 a.m. and 4:30 p.m., Eastern time, Monday through Friday of each week except Federal holidays.
Assistance to Individuals With Disabilities in Reviewing the Rulemaking Record
On request, we will supply an appropriate aid, such as a reader or print magnifier, to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for this notice. If you want to schedule an appointment for this type of aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Jennifer Dozier. Telephone: (202) 205-4421. If you use a telecommunications device for the deaf (TDD), call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities can obtain this document in an alternative format (e.g., Braille, large print, audiotape, or computer diskette) on request to the contact person listed under this section.End Further Info End Preamble Start Supplemental Information
MSIX will provide the technology that will allow all States, in accordance with applicable law, to share educational and health information on migrant children who travel from State to State due to their migratory lifestyle and who, as a result, have student records in the migrant student databases of multiple States. Authorized representatives of State and local agencies will use MSIX to assist with school enrollment, grade placement, and accrual of course credits for migrant children nationwide. In doing so, MSIX will work in concert with the existing migrant student information systems that States currently use to manage their migrant student data. Authorized representatives of State educational agencies (SEAs), local educational agencies (LEAs), and other MEP local operating agencies will use MSIX to retrieve educational and health information on migrant students who move from State to State due to their migrant lifestyle.
The Privacy Act (5 U.S.C. 552a(e)(4)) requires the Department to publish in the Federal Register this notice of a new system of records maintained by the Department. The Department's regulations implementing the Privacy Act are contained in the Code of Federal Regulations (CFR) in 34 CFR part 5b.
The Privacy Act applies to information about individuals that contains individually identifying information that is retrieved by a unique identifier associated with each individual, such as a name or social security number. The information about each individual is called a “record,” and the system, whether manual or computer-based, is called a “system of records.” The Privacy Act requires each agency to publish notices of new or altered systems of records in the Federal Register and to submit reports to the Administrator of the Office of Information and Regulatory Affairs, OMB, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Chair of the House Committee on Oversight and Government Reform, whenever the agency publishes a new or altered system of records.
Electronic Access to This Document
You may view this document, as well as all other documents of this Department published in the Federal Register, in text or Adobe Portable Document Format (PDF) on the Internet at the following site: www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available free at this site. If you have questions about using PDF, call the U.S. Government Printing Office (GPO), toll free, at 1-888-293-6498, or in the Washington, DC, area at (202) 512-1530.
The official version of this document is the document published in the Federal Register. Free Internet access to the official edition of the Federal Register and the CFR is available on GPO Access at: www.gpoaccess.gov/nara/index.html.Start Signature
Dated: November 30, 2007.
Kerri L. Briggs,
Assistant Secretary for Elementary and Secondary Education.
For the reasons discussed in the preamble, the Assistant Secretary for Elementary and Secondary Education publishes a notice of a new system of records to read as follows:
Migrant Student Information Exchange (MSIX).
(1) U.S. Department of Education, Office of Elementary and Secondary Education, Office of Migrant Education, 400 Maryland Avenue, SW., room 3E344, Washington, DC 20202-4614.
(2a) Deloitte LLC, 4301 North Fairfax Drive, Suite 210, Arlington, VA 22203-1633 (software development and programming).
(2b) Deloitte LLC, 110 West 7th Street, Suite 1100, Tulsa, OK 74119-1107 (help desk for MSIX).
(3a) EDS Data Center, 6031 South Rio Grande Avenue, Orlando, FL 32809-4613 (MSIX Production Servers).
(3b) EDS, 12000 Research Parkway, Orlando, FL 32826-2943 (back-up tapes).
(4) Navasite Data Center, 8619 Westwood Center Drive, Vienna, VA 22182-2220 (disaster recovery site). Start Printed Page 68574
(5) Access to MSIX is available through the Internet from other locations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system contains records on all children whom States have determined to be eligible to participate in the MEP, authorized in Title I, Part C of the Elementary and Secondary Education Act of 1965 (ESEA), as amended by the No Child Left Behind Act of 2001 (Pub. L. 107-110).
CATEGORIES OF RECORDS IN THE SYSTEM:
The categories of records in the system include the migrant child's: Name, date of birth, personal identification numbers assigned by the States and the Department, parent's or parents' name or names, school enrollment data, school contact data, assessment data, and other educational and health data necessary for accurate and timely school enrollment, grade and course placement, and accrual of course credits. The final request for public comment on the minimum data elements (MDEs) to be included in MSIX was published, pursuant to the Paperwork Reduction Act of 1995 clearance process, in the Federal Register on August 3, 2007 (72 FR 43253-34). More information on the 66 MDEs is available in the Department's Information Collection Notice at: http://edicsweb.ed.gov/browse/downldatt.cfm?pkg_serial_num=2841.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
MSIX is authorized under section 1308(b)(2) of the ESEA, as amended by the No Child Left Behind Act of 2001 (20 U.S.C. Section 6398(b)(2)).
The purpose of MSIX is to enhance the continuity of educational and health services for migrant children by providing a mechanism for all States to exchange educational and health related information on migrant children who move from State to State due to their migratory lifestyle. It is anticipated that the existence and use of MSIX will help to improve the timeliness of school enrollments, improve the appropriateness of grade and course placements, and reduce incidences of unnecessary immunizations of migrant children. Further, MSIX will facilitate the accrual of course credits for migrant children in secondary school by providing accurate academic information on the student's course history and academic progress.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
The Department of Education (Department) may disclose information contained in a record in this system of records, under the routine uses listed in this system of records, without the consent of the individual if the disclosure is compatible with the purposes for which the record was collected. The Department may make these disclosures on a case-by-case basis or, if the Department has complied with the computer matching requirements of the Privacy Act, as amended, under a computer matching agreement.
(1) MEP Services, School Enrollment, Grade or Course Placement, Accrual of High School Credits, Student Record Match Resolution. The Department may disclose a record in this system of records to authorized representatives of State education agencies (SEAs), local education agencies (LEAs), and other MEP local operating agencies (LOAs) to facilitate one or more of the following for a student: (a) Participation in the MEP, (b) enrollment in school, (c) grade or course placement, (d) credit accrual, and (e) unique student match resolution.
(2) Contract Disclosure. If the Department contracts with an entity for the purposes of performing any function that requires disclosure of records in this system to employees of the contractor, the Department may disclose the records to those employees who have received the appropriate level security clearance from the Department. Before entering into such a contract, the Department will require the contractor to maintain Privacy Act safeguards, as required under 5 U.S.C. 552a(m), with respect to the records in the system.
(3) Research Disclosure. The Department may disclose records from this system to a researcher if an appropriate official of the Department determines that the individual or organization to which the disclosure would be made is qualified to carry out specific research related to functions or purposes of this system of records. The official may disclose information from this system of records to that researcher solely for the purpose of carrying out that research related to the functions or purposes of this system of records. The researcher will be required to maintain Privacy Act safeguards with respect to the disclosed records.
(4) Freedom of Information Act (FOIA) and Privacy Act Advice Disclosure. The Department may disclose records to the U.S. Department of Justice (DOJ) or OMB if the Department concludes that disclosure is desirable or necessary to determine whether particular records are required to be disclosed under FOIA or the Privacy Act.
(5) Disclosure in the Course of Responding to Breach of Data. The Department may disclose records to appropriate agencies, entities, and persons when (a) it is suspected or confirmed that the security or confidentiality of information in MSIX has been compromised; (b) the Department has determined that as a result of the suspected or confirmed compromise, there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of MSIX or other systems or programs (whether maintained by the Department or by another agency or entity) that rely upon the compromised information; and, (c) the disclosure is made to such agencies, entities, and persons who are reasonably necessary to assist the Department in responding to the suspected or confirmed compromise and in helping the Department prevent, minimize, or remedy such harm.
(6) Litigation or Alternative Dispute Resolution (ADR) Disclosure.
(a) Introduction. In the event that one of the following parties is involved in litigation or ADR, or has an interest in litigation or ADR, the Department may disclose certain records to the parties described in paragraphs b, c, and d of this routine use under the conditions specified in those paragraphs:
(i) The Department or any of its components.
(ii) Any Department employee in his or her official capacity.
(iii) Any employee of the Department in his or her individual capacity where DOJ has agreed to or has been requested to provide or arrange for representation of the employee.
(iv) Any employee of the Department in his or her individual capacity where the Department has agreed to represent the employee.
(v) The United States where the Department determines that the litigation is likely to affect the Department or any of its components.
(b) Disclosure to DOJ. If the Department determines that disclosure of certain records to DOJ, or attorneys engaged by DOJ, is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to DOJ.
(c) Adjudicative Disclosure. If the Department determines that disclosure of certain records to an adjudicative body before which the Department is authorized to appear, individual, or Start Printed Page 68575entity designated by the Department or otherwise empowered to resolve or mediate disputes is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to the adjudicative body, individual, or entity.
(d) Disclosure to Parties, Counsel, Representatives, and Witnesses. If the Department determines that disclosure of certain records to a party, counsel, representative, or witness is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to a party, counsel, representative, or witness.
(7) Congressional Member Disclosure. The Department may disclose information from a record of an individual to a member of Congress and his or her staff in response to an inquiry from the member made at the written request of that individual. The member's right to the information is no greater than the right of the individual who requested it.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
Not applicable to this system notice.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
The Data Center of the Department's contractor, EDS, stores computerized student records on server hardware and MSIX backup tapes, including MSIX Help Desk tapes, in locked file cabinets.
Records in this system are indexed by a unique number, assigned to each individual, that is cross-referenced by the individual's name.
Security personnel control and monitor all physical access to the site of the Department's contractor and subcontractors, where this system of records is maintained. The computer system employed by the Department offers a high degree of resistance to tampering and circumvention. This computer system limits data access to Department and contract staff on a “need to know” basis, and controls individual users' ability to access and alter records within the system by granting user names and passwords, and assigning user roles to individuals that restrict access based on user category (e.g., district administrator, counselor, state administrator).
The contractor has established a set of procedures to ensure confidentiality of data, and will maintain the security of the complete set of all master data files and documentation. The contractor and subcontractor employees who collect, maintain, use, or disseminate data in this system, must comply with the requirements of the Privacy Act.
(2) Physical Security of Electronic Data
Physical security of electronic data will be maintained. The MSIX infrastructure is housed in a secured data center, access to which is controlled by multiple access controls. These access controls include a combination of personal photo identification/card scans, biometric hand scanning, and personal access codes. These access controls also include man-traps and physical barricades that limit access to the data center floor and machine rooms. Further, all entrances, exits, and key points throughout the facility are monitored in real-time via closed circuit television (CCTV) 24 hours per day. All CCTV is recorded and stored on tape for audit purposes. These access control mechanisms are centrally managed by resources within the data center, which is staffed 24 hours per day.
Security personnel are required to inspect picture identification and have visitors sign in before granting access to the facility. Visitors are pre-authorized and registered in a database at least 24 hours prior to their arrival, and are required to provide picture identification that matches the name given previously to the data center. All personnel are required to display an identification badge or an authorized visitor badge at all times while on the premises; and all packages brought into the data center are subject to inspection.
Backup tapes are employed, and numerous mechanisms protect the physical security of these backup tapes. First, in the event of a disaster recovery situation, MSIX backup tapes will be transferred in locking containers. Contractor and subcontractor employees holding Department of Defense (DoD) Secret or Interim Secret clearances will ship the tapes from the EDS Data Center to the Navasite Data Center, the disaster recovery site. Thus, the MSIX system can be restored in the event of a disaster at the Navasite Data Center. Second, the backup tapes are stored in a tape library within the EDS Data Center and are only available to authorized personnel. Access to the backup tapes is limited through the use of biometric access control mechanisms. Third, the backup tapes are stored in fireproof safes.
(c) User Access to Electronic Data
MSIX incorporates a series of security controls mandated by the Federal Information Security Management Act of 2002 (FISMA) and the Department. MSIX leverages role-based accounts and security controls to limit access to the application, its servers, and its infrastructure to authorized users. All MSIX users must follow a registration process that involves identity validation and verification prior to gaining access to MSIX. Once validated and approved, MSIX User Administrators will grant access to authorized users by creating their MSIX accounts and assigning the appropriate MSIX roles. MSIX requires users to use strong passwords, comprised of alphanumeric and special characters, and uses Oracle's Internet Directory (OID) application to manage its user accounts. OID stores the name of each MSIX user, each MSIX user's associated roles and access privileges, and each MSIX user's passwords using an encrypted format. The MSIX application is only available to authorized users via a Uniform Resource Locator (URL) that runs under the Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). No user may alter records in this system of records except to identify and assign a student a unique student identifier through the record matching process. Further, MSIX limits data submissions from State systems to specific Internet Protocol addresses and requires the use of Secure File Transfer Protocol.
(d) Additional Security Measures
The MSIX infrastructure also leverages a series of firewalls to limit internal access to specific protocols and ports, as well as intrusion detection systems to help identify unauthorized access to MSIX. MSIX logs and tracks login attempts, data modifications, and other key application and system events. The MSIX operations and maintenance team monitors these logs on a regular basis. Further, the MSIX operations and maintenance team performs vulnerability scans on a routine basis, monitors the U.S. Computer Emergency Response Team (CERT) bulletins (see http://www.us-cert.gov/ for more details), and applies routine operating system and vendor patches as appropriate.
Retention and Disposal:
Records are maintained and disposed of in accordance with the Department's Records Disposition Schedules as listed under ED 231—Public and Restricted Use Data Files—Studies. Start Printed Page 68576
System Manager and Address:
Director, Office of Migrant Education, U.S. Department of Education, 400 Maryland Avenue, SW., room 3E317, Washington, DC 20202-0001.
If you wish to determine whether a record exists regarding you in the system of records, contact the system manager at the address listed under, SYSTEM MANAGER AND ADDRESS. Your request must meet the requirements of regulations in 34 CFR 5b.5, including proof of identity.
Record Access Procedure:
If you wish to gain access to your record in the system of records, contact the system manager at the address listed under SYSTEM MANAGER AND ADDRESS. Your request must meet the requirements of regulations in 34 CFR 5b.5, including proof of identity.
Contesting Record Procedure:
If you wish to contest the content of a record regarding you in the system of records, contact the system manager at the address listed under, SYSTEM MANAGER AND ADDRESS. Your request must meet the requirements of regulations in 34 CFR 5b.7, including proof of identity.
Record Source Categories:
The system will contain records that are obtained from SEAs and LEAs.
Exemptions Claimed for the System:
None.End Supplemental Information
[FR Doc. E7-23541 Filed 12-4-07; 8:45 am]
BILLING CODE 4000-01-P