Treatment of Student Data
AERDF conducts and supports equity-centered inclusive research & development (R&D) projects in a variety of educational areas. AERDF projects frequently make use of educational technologies and cutting-edge research approaches, and are always centered in approaches that lift up the brilliance of Black and Latino students, and students of all races experiencing poverty.
These R&D projects collect and create a variety of information with students, families and other participants. R&D projects may engage partners with extensive experience working with and protecting student information (e.g., universities that mandate security standards). Adoption of ethical security and privacy standards is a critical consideration guiding decisions about which organizations we partner with.
We are guided by the tenet that “all information worth collecting is worth protecting”, and thus consider compliance with legal regulations the minimal level of protection of student information. We deeply respect and center the students, families, and communities we work with, and have thus created intentional systems and structures to ethically steward this information.
Measures we take to protect student information include:
- Removing Personally Identifiable Information (PII) from Data – we take active steps to prevent collecting personally identifiable information (PII), and to not store PII if collected data contains PII. In the case that this information is temporarily required (e.g., to merge multiple information sources from the same person) identifiable information is replaced with unique random identifiers, and will be removed as early as possible (ideally before data collection, and if collected, as soon as possible after collection). We also apply appropriate technical procedures to ensure that indirectly identifiable information is appropriately masked, aggregated or otherwise treated.
- Storing Data on Certified Secure Platforms – information from AERDF research projects is stored on platforms that use secure practices including encrypting data at rest so that they cannot be read even if they were accessed inappropriately. AERDF data platforms are independently audited at least annually and certified compliant with industry standards for security (e.g., SOC2).
- Restricting Access Controls – data may only be shared with approved AERDF research users who are limited by data use agreements that are reviewed by the AERDF Privacy Team. Before any data are shared with approved AERDF research users, they are classified depending on the level of confidentiality of that data, and only people who have a relevant role to use that data are provided access. Some data may be classified as “not confidential”, for example, if they contain only de-identified research results or data that cannot be linked to an individual. “Not confidential” data will only be available for approved AERDF research users, and access levels and classification levels are reviewed regularly.
- Enabling Participant Rights to Remove Data – any participant in an AERDF project has a right to request removal of previously collected data, provided it is possible to connect data to a specific person (see Removing Personally Identifiable Information from Data above). Participants are able to opt out of participating in research while still engaging in the underlying learning activities being researched.
- Requiring IRB Review for all Research Projects – all AERDF projects that collect or create data, whether conducted by awardees or programs, are reviewed by an Institutional Review Board (IRB) and the AERDF Privacy Team to ensure that they are compliant with all relevant privacy laws and regulations, embody best practices around participant assent/consent, and do not pose greater than minimal risk to the participants. AERDF also recognizes that IRB Review is one tool among many: AERDF requires IRB review because the review is an important tool, but our data practices exceed what is generally covered in most IRB reviews.
- Requiring Security Training – any approved AERDF research user accessing student information must complete security training (CITI certification) and be certified competent in that training before they are provided access. The amount of training required is commensurate with the degree of access and responsibility that each person holds with respect to that data.
- Requiring Data Management Plans for all Projects – each AERDF-funded project will have in place an approved Data Management Plan that ensures that the organization is compliant with security standards and data privacy practices. Implementation of these plans will be coordinated by AERDF’s privacy officer, other AERDF staff, and key staff from research partners. These plans are consistent with the type of research being conducted, the data being collected and the analysis that is planned.
If you have feedback or suggestions regarding our student information practices, please contact firstname.lastname@example.org.
AERDF is committed to ensuring the breakthroughs developed in its Inclusive R&D programs are made available to as many of our priority students as possible. For more information, please see our Global Access Commitment.