Protection of Personally Identifiable Information in Statewide Longitudinal Data Systems

The purpose of the audit was to (1) assess the adequacy of the Institute of Education Sciences’ (IES) Statewide Longitudinal Data System (SLDS) grant requirements and monitoring of States to ensure internal controls are in place to prevent, detect, and report unauthorized access and disclosure of personally identifiable information in SLDSs; and (2) determine whether selected States have internal controls in place to prevent, detect, report, and respond to unauthorized access and disclosure of personally identifiable information in their SLDSs. We found that IES’s grant requirements were adequate to ensure the protection of personally identifiable information. We also found that the grantees that we audited addressed these requirements in the approved grant applications by identifying and noting that they would comply with specific State requirements pertaining to data and system security. However, we found that IES had inadequate controls for monitoring its grantees’ adherence to State system security requirements. Specifically, IES did not ensure that its grantees met the minimum State system security requirements. We identified internal control weakness at all three grantees audited that increased the risk that these grantees would be unable to prevent or detect unauthorized access and disclosure of personally identifiable information in their SLDSs.