IES, the Education Department's research agency collects data on millions of students nationwide, and it is one of the primary agencies connecting researchers to student data, but the audit suggests the agency needs to tighten its processes to ensure researchers know how to safeguard student privacy.
Auditors looked at a a sample of 95 employees assigned to IES's five largest contractors, all of them long-standing research groups: Research Triangle Institute, the American Institutes for Research in the Behavioral Sciences, NCS Pearson, Inc, Westat, Inc, and the Educational Testing Service. All told, they represent more than $462 million, or 29 percent of IES's active contract funding.
The auditors found nearly half of the 81 employees who needed a screening in order to work with student data had no evidence of receiving one. Another 15 employees had been screened while under a previous contract or while working for another agency, but IES had not verified their screenings.
In general, the problems seems to be caused by confusion about which employees met different levels of risk in working with students' personal data. IES is in the process of revising a guide for contractors on student data, but it has not been reviewed by the Office of Management and Budget.
In a response to the audit, IES delegated director Thomas Brock said that the agency has written clarified guidance to its contractors and added additional staff as "personal security representatives" for contractors, and that it is continuing to work on security screening processes.