AGENCY:

Office of Elementary and Secondary Education, Department of Education.

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended (Privacy Act), the Department of Education (Department) publishes this notice of a modified system of records entitled “Migrant Student Information Exchange (MSIX)” (18-14-04) to modify this system of records notice, which was last published in the Federal Register on December 5, 2007.

DATES:

Submit your comments on this modified system of records notice on or before August 9, 2019.

This modified system of records notice will become applicable upon publication in the Federal Register on July 10, 2019. Modified routine uses (1), (2), (3), (5), and (6) and new routine use (8) listed under “ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES” will become applicable on August 9, 2019, unless the modified system of records notice needs to be changed as a result of public comment. The Department will publish any significant changes resulting from public comment.

ADDRESSES:

Submit your comments through the Federal eRulemaking Portal or via postal mail, commercial delivery, or hand delivery. We will not accept comments submitted by fax or by email or those submitted after the comment period. To ensure that we do not receive duplicate copies, please submit your comments only once. In addition, please include the Docket ID at the top of your comments.

• Federal eRulemaking Portal: Go to www.regulations.gov to submit your comments electronically. Information on using Regulations.gov, including instructions for accessing agency documents, submitting comments, and viewing the docket, is available on the site under the “help” tab.
• Postal Mail, Commercial Delivery, or Hand Delivery: If you mail or deliver your comments about this modified system of records, address them to: Lisa C. Gillette, Director, Office of Migrant Education, Office of Elementary and Secondary Education, U.S. Department Start Printed Page 32896of Education, 400 Maryland Avenue SW, Washington, DC 20202-0001.

Privacy Note: The Department's policy is to make all comments received from members of the public available for public viewing in their entirety on the Federal eRulemaking Portal at www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available.

Assistance to Individuals with Disabilities in Reviewing the Rulemaking Record: On request, we will supply an appropriate accommodation or auxiliary aid to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for this notice. If you want to schedule an appointment for this type of accommodation or auxiliary aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT.

FOR FURTHER INFORMATION CONTACT:

Lisa C. Gillette, Director, Office of Migrant Education, Office of Elementary and Secondary Education, U.S. Department of Education, 400 Maryland Avenue SW, 3E317, Washington, DC 20202-6135. Telephone: (202) 260-1164.

If you use a telecommunications device for the deaf (TDD) or text telephone (TTY), you may call the Federal Information Relay Service (FIRS), toll free, at 1-800-877-8339.

SUPPLEMENTARY INFORMATION:

The MSIX system of records helps meet the needs of migratory children by improving the timeliness of the availability of current educational and health information on migratory children to school and program staff where migratory children enroll after moving. MSIX uses the Minimum Data Elements (MDEs) to provide a standard format for information that States must collect and maintain. MSIX allows State educational agencies (SEAs) to upload the required MDEs from their own existing State student record systems into a single national data repository where information on each migratory child is maintained, organized, and compiled. As a web-based platform, MSIX allows authorized users to access a migratory child's MSIX record via a web browser. Section 1308(b)(2) of the Elementary and Secondary Education Act of 1965, as amended (ESEA) (20 U.S.C. 6398(b)(2)) requires the Secretary of Education to ensure the linkage of migratory student record systems for the purpose of electronically exchanging, among the States, health and educational information regarding all migratory students.

As described more fully below, this notice will update the following sections: Security Classification; System Location; Authority for Maintenance of the System; Purpose(s) of the System; Categories of Records in the System; Record Source Categories; Policies and Practices for Storage of Records; Policies and Practices for Retrieval of Records; Policies and Practices for Retention and Disposal of Records; Administrative, Technical, and Physical Safeguards; Record Access Procedures; and Notification Procedures. This modified system of records notice will update routine uses (1), (2), (3), and (6), and, pursuant to the requirements in Office of Management and Budget (OMB) Memorandum 17-12, it will also update routine use (5) and add new routine use (8). Pursuant to the requirements of OMB Circular No. A-108, a new section entitled “History” also has been added to the notice.

Introduction: The Department previously published the MSIX system of records notice in the Federal Register on December 5, 2007 (72 FR 68572-76). This notice will update the following sections: Security Classification; System Location; Authority for Maintenance of the System; Purpose(s) of the System; Categories of Records in the System; Record Source Categories; Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses; Policies and Practices for Storage of Records; Policies and Practices for Retrieval of Records; Policies and Practices for Retention and Disposal of Records; Administrative, Technical, and Physical Safeguards; Record Access Procedures; and Notification Procedures.

Pursuant to OMB Circular No. A-108, the section entitled “SECURITY CLASSIFICATION” is updated from “none” to “unclassified.”

The Department is updating the section entitled “SYSTEM LOCATION” to list the names and addresses of the current Department contractor and subcontractor that maintain MSIX records.

The Department is updating the section entitled “AUTHORITY FOR MAINTENANCE OF THE SYSTEM” to update the reference to the current legal authority.

The Department is updating the section entitled “PURPOSE(S) OF THE SYSTEM” to reflect the current, rather than anticipated, use and benefits of the system. While the purpose of reducing unnecessary immunizations is still a goal of the Migrant Education Program (MEP), MSIX does not track or record incidences of unnecessary immunizations.

The Department is updating the section entitled “CATEGORIES OF RECORDS IN THE SYSTEM” to update the reference to the Paperwork Reduction Act (PRA) clearance request in the Federal Register which lists the minimum data elements included in MSIX.

The Department is updating the section entitled “RECORD SOURCE CATEGORIES” to add Migrant Education Program (MEP) local operating agencies (LOAs), in addition to local educational agencies (LEAs). LOAs were added to the record source categories to be inclusive of service delivery organizations that are operating in the MEP participating States. SEAs submit data to MSIX using data sourced from LEAs and/or LOAs, depending on the service delivery model used by the SEA. The Department also is adding parents, guardians, and migratory children to the section of the notice on record source categories to more closely adhere to OMB guidance on the Privacy Act and to reflect that LEAs, LOAs, and SEAs obtain some records directly from parents and migratory children.

This modified system of records notice will also update routine uses (1), (2), (3), (5), and (6) and add new routine use (8).

The Department is modifying routine use (1), which was formerly entitled “MEP Services, School Enrollment, Grade or Course Placement, Accrual of High School Credits, Student Record Match Resolution,” to include “data correction by parents, guardians, and migratory children” as a reason for disclosure to authorized representatives of SEAs, LEAs, or other MEP LOAs.

The Department is modifying routine use (2) entitled “Contract Disclosure” and routine use (3) entitled “Research Disclosure” to remove language that respectively referenced safeguard requirements under subsection (m) of the Privacy Act and Privacy Act safeguards. The Department revised the language in routine use (2) to permit the Department to disclose records from this system of records to employees of Department contractors, whether or not the contractors are covered by subsection (m) of the Privacy Act, so long as the contractors are performing a Departmental function that requires disclosing records to them and they agree to establish and maintain safeguards that will protect the security and confidentiality of the disclosed records. The Department also revised the language in routine uses (2) and (3) because the prior language referring to required safeguards under the Privacy Act and Privacy Act safeguards was unclear about what safeguards were Start Printed Page 32897required and therefore to clarify that contractors and researchers to whom disclosures are made under these routine uses will be required to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records. The Department also revised routine use (2) to remove language that had referred to requiring these safeguards to be maintained before the contract was entered into and instead to indicate that the agreement on such safeguards will be reached as part of any such contract.

Pursuant to the requirements in OMB M-17-12, the Department is modifying routine use (5) entitled “Disclosure in the Course of Responding to a Breach of Data” and adding routine use (8) entitled “Disclosure in Assisting another Agency in Responding to a Breach of Data” in order to comply with the requirements in OMB M-17-12. Pursuant to this new routine use, the Department may disclose records from this system to another Federal agency or Federal entity, when the Department determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

The Department is modifying routine use (6) entitled “Litigation or Alternative Dispute Resolution (ADR) Disclosure” to replace the word “individual,” which is a defined word under the Privacy Act, with the word “person” to avoid public confusion.

The Department is updating the section entitled “POLICIES AND PRACTICES FOR STORAGE OF RECORDS” to remove references to hardware stored in locked file cabinets and describe electronic records storage.

The Department is also updating the section entitled “POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS” to explain that MSIX users retrieve records by an individual's name, in addition to the unique identifier assigned to each individual.

The Department is updating the section entitled “POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS” to reflect the most recent Department records schedule, and applicable disposition instruction, which governed the retention and disposition of the records; and, to explain that said records schedule disposition instruction is being superseded, pending approval by the National Archives and Records Administration (NARA), by a new records schedule submitted by the Department to NARA.

The Department is updating the section entitled “ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS” to reflect changes in technical and physical safeguards offered by the cloud service provider.

The Department is also updating the sections entitled “RECORD ACCESS PROCEDURES” and “NOTIFICATION PROCEDURES” to specify the necessary particulars that the system manager must be provided in connection with a records access or notification request in order to distinguish between the records of individuals with the same names.

Pursuant to the requirements of OMB Circular No. A-108, the Department is also adding a new section to the notice that is entitled “HISTORY.”

Accessible Format: Individuals with disabilities can obtain this document in an accessible format (e.g., braille, large print, audiotape, or compact disc) on request to the person listed under FOR FURTHER INFORMATION CONTACT.

Electronic Access to This Document: The official version of this document is the document published in the Federal Register. Free internet access to the official edition of the Federal Register and the CFR is available via the Federal Digital System at: www.gpo.gov/​fdsys. At this site you can view this document, as well as all other documents of the Department published in the Federal Register, in text or Portable Document Format (PDF). To use PDF you must have Adobe Acrobat Reader, which is available free at the site.

You may also access documents of the Department published in the Federal Register by using the article search feature at: www.federalregister.gov. Specifically, through the advanced search feature at this site, you can limit your search to documents published by the Department.

For the reasons discussed in the preamble, the Assistant Secretary of the Office of Elementary and Secondary Education of the U.S. Department of Education (Department) publishes a notice of a modified system of records to read as follows:

SYSTEM NAME AND NUMBER

Migrant Student Information Exchange (MSIX) (18-14-04).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

(1) U.S. Department of Education, Office of Migrant Education, Office of Elementary and Secondary Education, 400 Maryland Avenue SW, Washington, DC 20202-6135.

(2a) Deloitte Consulting LLC, 1919 North Lynn Street, Arlington, VA 22209-1743 (contractor) (Software development/programming and operations/maintenance).

(2b) Amazon Web Services (AWS) US-EAST/US-WEST 12900 Worldgate Drive, Herndon, VA 20170-6039 (subcontractor).

SYSTEM MANAGER(S):

Director, Office of Migrant Education, Office of Elementary and Secondary Education, U.S. Department of Education, 400 Maryland Avenue SW, Room 3E317, Washington, DC 20202-0001.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

MSIX is authorized under section 1308(b)(2) of the Elementary and Secondary Education Act of 1965, as amended (ESEA), 20 U.S.C. 6398(b)(2).

PURPOSE(S) OF THE SYSTEM:

The purpose of MSIX is to enhance the continuity of educational and health services for migratory children by providing a mechanism for all States to exchange educational and health-related information on migratory children who move from State to State due to their migratory lifestyle. MSIX helps to improve the timeliness of school enrollments, the appropriateness of grade and course placements, and participation in the Migrant Education Program (MEP) for migratory children. Further, MSIX facilitates the accrual of course credits for migratory children in secondary school by providing accurate academic information on the students' course history and academic progress.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

This system contains records on all children whom States have determined to be eligible to participate in the MEP, authorized in Title I, Part C of the ESEA.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records in the system include the migratory child's: Name, date of birth, personal identification numbers assigned by the States and the Department, parent's or parents' name or names, school enrollment data, school contact data, assessment data, and other educational and health data necessary for accurate Start Printed Page 32898and timely school enrollment, grade and course placement, and accrual of course credits. The final request for public comment on the minimum data elements (MDEs) to be included in MSIX was published, pursuant to the Paperwork Reduction Act of 1995 clearance process, in the Federal Register on May 25, 2016 (81 FR 33246).

RECORD SOURCE CATEGORIES:

The system contains records that are obtained from parents, guardians, migratory children, State educational agencies (SEAs), local educational agencies (LEAs), and local operating agencies (LOAs).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The Department may disclose information contained in a record in this system of records, under the routine uses listed in this system of records, without the consent of the individual if the disclosure is compatible with the purposes for which the record was collected. The Department may make these disclosures on a case-by-case basis or, if the Department has complied with the computer matching requirements of the Privacy Act of 1974, as amended (Privacy Act), under a computer matching agreement.

(1) MEP Services, School Enrollment, Grade or Course Placement, Accrual of High School Credits, Student Record Match Resolution, and Data Correction Disclosure. The Department may disclose a record in this system of records to authorized representatives of SEAs, LEAs, or other MEP LOAs to facilitate one or more of the following for a student: (a) Participation in the MEP, (b) enrollment in school, (c) grade or course placement, (d) credit accrual, (e) unique student match resolution, and (f) data correction by parents, guardians, and migratory children.

(2) Contract Disclosure. If the Department contracts with an entity for the purposes of performing any function that requires disclosure of records in this system to employees of the contractor, the Department may disclose the records to those employees who have received the appropriate level security clearance from the Department. As part of such a contract, the Department will require the contractor to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records.

(3) Research Disclosure. The Department may disclose records from this system to a researcher if an appropriate official of the Department determines that the individual or organization to which the disclosure would be made is qualified to carry out specific research related to functions or purposes of this system of records. The official may disclose information from this system of records to that researcher solely for the purpose of carrying out that research related to the functions or purposes of this system of records. The researcher will be required to agree to establish and maintain safeguards to protect the security and confidentiality of the disclosed records.

(4) Freedom of Information Act (FOIA) or Privacy Act Advice Disclosure. The Department may disclose records to the U.S. Department of Justice (DOJ) or the Office of Management and Budget (OMB) if the Department concludes that disclosure is desirable or necessary to determine whether particular records are required to be disclosed under the FOIA or the Privacy Act.

(5) Disclosure in the Course of Responding to a Breach of Data. The Department may disclose records from this system to appropriate agencies, entities, and persons when (a) the Department suspects or has confirmed that there has been a breach of the system of records; (b) the Department has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, the Department (including its information systems, programs, and operations), the Federal Government, or national security; and, (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department's efforts in responding to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(6) Litigation or Alternative Dispute Resolution (ADR) Disclosure.

(a) Introduction. In the event that one of the following parties is involved in litigation or ADR, or has an interest in litigation or ADR, the Department may disclose certain records to the parties described in paragraphs b, c, and d of this routine use under the conditions specified in those paragraphs:

(i) The Department or any of its components.

(ii) Any Department employee in his or her official capacity.

(iii) Any employee of the Department in his or her individual capacity where DOJ has agreed to or has been requested to provide or arrange for representation of the employee.

(iv) Any employee of the Department in his or her individual capacity where the Department has agreed to represent the employee.

(v) The United States where the Department determines that the litigation is likely to affect the Department or any of its components.

(b) Disclosure to DOJ. If the Department determines that disclosure of certain records to DOJ, or attorneys engaged by DOJ, is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to DOJ.

(c) Adjudicative Disclosure. If the Department determines that disclosure of certain records to an adjudicative body before which the Department is authorized to appear or to a person or entity designated by the Department or otherwise empowered to resolve or mediate disputes is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to the adjudicative body, person, or entity.

(d) Disclosure to Parties, Counsel, Representatives, and Witnesses. If the Department determines that disclosure of certain records to a party, counsel, representative, or witness is relevant and necessary to litigation or ADR, and is compatible with the purpose for which the records were collected, the Department may disclose those records as a routine use to a party, counsel, representative, or witness.

(7) Congressional Member Disclosure. The Department may disclose information from a record of an individual to a member of Congress and his or her staff in response to an inquiry from the member made at the written request of that individual. The member's right to the information is no greater than the right of the individual who requested it.

(8) Disclosure in Assisting another Agency in Responding to a Breach of Data. The Department may disclose records from this system to another Federal agency or Federal entity, when the Department determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.Start Printed Page 32899

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The cloud service provider, Amazon Web Services (AWS), through a subcontract with the Department, stores computerized student records, including backups, on virtual servers. Physical security of electronic data is maintained in compliance with the Federal Information Security Modernization Act of 2014 (FISMA) and National Institute of Standards and Technology (NIST) standards.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records in this system are retrieved by name and by the unique identifier assigned to each individual.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

All records were previously retained and disposed of in accordance with Department Records Schedule 066: Program Management Files (N1-441-10-1) (ED 066), Item (a)(3). ED 066, Item (a)(3), is being superseded, pending approval by the National Archives and Records Administration (NARA), by a new records schedule submitted by the Department to NARA entitled, “Migrant Student Information Exchange (MSIX) Electronic Information System Records.” The Department will not destroy the aforementioned records until such time as said new, NARA-approved schedule is in effect, as applicable.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

(1) Introduction. Security personnel control and monitor all physical access to the site of the Department's subcontractor, where this system of records is maintained. The computer system employed by the Department offers a high degree of resistance to tampering and circumvention. This computer system limits data access to Department and contract staff on a “need to know” basis, and controls individual users' ability to access and alter records within the system by granting user names and passwords, and assigning user roles.

(2) Physical Security of Electronic Data. The MSIX infrastructure is housed in a cloud service provider with provisional authorization from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) under the Moderate control baseline. All controls managed by the cloud service provider, including physical security of electronic data, are reviewed by a third party assessment organization (3PAO) in accordance with FedRAMP guidance.

(3) User Access to Electronic Data. MSIX leverages role-based accounts and security controls to limit access to the application, its servers, and its infrastructure to authorized users in accordance with the Federal Information Security Modernization Act (FISMA) of 2014 and the Department Office of Chief Information Officer (OCIO) directives, policies, standards and procedures. All MSIX users must follow a registration process that involves identity validation and verification prior to gaining access to MSIX. MSIX utilizes unique user identifiers (user IDs) and authenticators (strong passwords). Directory information for all authorized users is stored in the system. Directory information maintained in MSIX includes username, full name, work contact information, and login credentials needed to maintain user accounts. The MSIX application is only available to authorized users via a Uniform Resource Locator (URL) that runs under the Hypertext Transfer Protocol over Secure Socket Layer (HTTPS).

(4) Additional Security Measures. The MSIX infrastructure also leverages firewalls and intrusion detection systems to limit internal access and identify unauthorized access to the system. MSIX logs, monitors, and controls network communications and systems actions. System components are logically separated from internal organizational networks and connect to external networks through managed interfaces. Further, the MSIX operations include conducting vulnerability scans, monitoring the U.S. Computer Emergency Response Team (CERT) bulletins, and applying routine operating system and vendor patches as appropriate.

RECORD ACCESS PROCEDURES:

If you wish to gain access to your record in the system of records, you must contact the system manager at the address listed under SYSTEM MANAGER(S). You must provide necessary particulars such as your name, date of birth, and any other identifying information requested by the Department while processing the request to distinguish between individuals with the same name. Your request must meet the requirements of regulations in 34 CFR 5b.5, including proof of identity.

CONTESTING RECORD PROCEDURES:

If you wish to contest or change the content of a record regarding you in the system of records, contact the system manager at the address listed under SYSTEM MANAGER(S). Your request must meet the requirements of regulations in 34 CFR 5b.7.

NOTIFICATION PROCEDURES:

If you wish to determine whether a record exists regarding you in the system of records, you must contact the system manager at the address listed under SYSTEM MANAGER(S). You must provide necessary particulars such as your name, date of birth, and any other identifying information requested by the Department while processing the request to distinguish between individuals with the same name. Your request must meet the requirements of regulations in 34 CFR 5b.5, including proof of identity.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

The system of records was originally published in the Federal Register on December 5, 2007 (72 FR 68572-68576).