The main purpose of community data sharing is to create a community-wide information system that supports interactions with many service providers to deliver a comprehensive, longitudinal perspective on each child, leveraging data and technology to provide better, faster, and continuously improved services. In Community Data Sharing Initiatives - Community Collaboratives - participants share information regarding the children they serve. It is essential to have a clear definition of how the sharing is managed and authorized and which information is shared. 

The Backbone Organization (Longitudinal Community Database) of the collaborative is the lead partner organization that is responsible for community agreements on data governance and data sharing, an agreed-upon approach to parent consent, collaborative goals, and the associated data set to be shared. This organization is responsible for Data Management Services: the “scoping” of data access for data sharing partners and users, defining the approach to mapping children between organizations, consent administration, and an approach to managing data quality. [e.g. duplicates]

• Legal Data Sharing - Community Agreement
• Organization & User Scoping 
• Child-Organization Mapping
• Consent Administration
• Data Quality

Data Users are partner organizations that are interested in accessing the Data Contributors’ child-related information either in aggregated, de-identified or identifiable format. The leverage the COMET Community Reporter. Commonly, Data Users are also Data Contributors, but not necessarily (e.g.: funding organizations like United Way, County, or City services).

• Aggregated & De-Identified Community Reports & Exports
• Geo-Coded Map Demographics
• Data For Program Evaluators
• Compare Your Organization To The Community
• Identifiable Data Reports & Exports, For Those With Proper Consent

COMET Operations

Data Contributors are partner organizations that directly interact with children and record child-driven information in COMET, or in their own operational database - Pass-thru Data Contributor -- that will be integrated into the data-sharing initiative. Another approach to contributing data is to provide program participation as a Roster Data Contributor through a list of your children (ID, last, first, DOB, gender). Note that contributors "own" the data they contribute in an explicit or implicit agreement of confidentiality [e.g.: Family Educational Rights & Privacy Act (FERPA)] with each child’s parent.

Data Contributors - Collected In COMET

• Community Organization Running Programs & Providing Support
• Funder Collecting Data From Multiple Service Providers
• School District SEL Program
• City Sending Data (Pass-Thru)

Data Contributors - Collected External To COMET

• Student Information Systems (SIS)
• Community-Based Organizations
• Government & Heath Systems

Parent Portal

Parent / Guardian involvement is key to a data-sharing initiative. COMET’s community data sharing solution supports parent approval of the sharing of their child’s data. Recording and leveraging parent consent is fundamental to a data-sharing initiative. 

• Parents Understand & Control Their Child's Data & Can See Their Child's Information, Including Assessment Results
• They Can Provide Input On Their Child & Communicate With Those Who Work With Them

Community Reporting 

COMET’s community data sharing solution is powered by our sophisticated reporting application - COMET Community Reporter, supporting aggregated and de-identified community reports and exports, geo-coded map demographic visualization, data for program evaluators, community comparison reports, and identifiable data reports and exports. 

• Aggregated reports: Typically, such reports may pull data from multiple Data Contributors and consolidate / aggregate accordingly. These reports are authorized through the data-sharing agreement between the service provider partners. 
• De-identified child-level reports or data extraction: Typically, these reports are used for research purposes. Records are de-identified meaning that they do not contain any data element that could identify a child (e.g.: name, ID, etc). These reports are authorized through data-sharing agreements between the service providers. 
• Identifiable child-level records: It is possible to report on identifiable child data, but this data sharing requires valid parent consent and clear authorization from the Data Contributor.

Only data sharing can enable outcome measurement across organizations. So, if an after-school program and a school want to measure if their collective work has a positive impact on school attendance and academic outcomes, and to determine which programs are effective and to fund, data sharing is essential.

Ideally, every community's child-serving organizations will share data and collaborate to improve common goals; realizing the vision of a comprehensive, longitudinal community database supported through the efforts of Partner Organizations that work together in a Community Data Sharing Initiative in which its children are thriving.

Ready to join a collaborative? Take our readiness quiz.

Original Posting 18.09.17

Stating concern for privacy, schools sometimes will not get involved in data sharing with community organizations or initiatives. Although permissible under federal law, the schools struggle with this change – whether from having an insular culture, resistance to change or a fear of increasing liability. The U.S. Department of Education is now providing guidance for how districts can work within the United States’ student-data-privacy law - the Family Educational Rights and Privacy Act (FERPA). They recommend that schools understand that integrated data system implementation is a multistep process. Each of the steps should be justified using the appropriate exception written into FERPA.

A few helpful concepts:

• "School Official" Exception: A provision that allows a district to share educational records with third parties as part of outsourcing a service that it lacks the capacity to perform itself, such as sharing identifiable records with an integrated data warehouse that links with other administrative data.
• "Studies" or "Audits and Evaluation" Exceptions: A provision where schools give permission for analysis of de-identified records from the data warehouse by approved researchers. Note that research projects must have an instructional benefit for the schools involved.
• Data Sharing Agreements: The process must include written agreements that detail all the terms of the relationships. School districts are responsible for protecting the education records they disclose.
• Parent Consent:  Records that have “identifiable” data that allows a child to receive appropriate interventions can’t be shared without parental consent. So if servicing the child to improve outcomes requires sharing of specific child records, a signed parent consent process must be implemented before this data is shared. Under FERPA, if the department is the legal guardian of the child, such as those in foster care or other court-ordered placements, then the department has the right to access their educational records.
• Security Protocols: Access to the data warehouse should be limited and school districts should generally have no access into individual records with the child’s data in this warehouse. They will receive information that has been aggregated where no child can be identified.  This aggregated information is also often shared with other participating organizations and agencies, often with a “Community Report Card” approach as part of a continuous improvement effort.

Here is a nice checklist from the U.S. Department of Education’s “Data-Sharing Tool Kit for Communities: How to Leverage Community Relationships While Protecting Student Privacy” - a resource full of good tips for school districts.

Getting Started: A Quick Checklist for the School

• Establish criteria in the annual notification of FERPA rights about who is a “school official” and what constitutes “legitimate educational interests.”
• Determine if the disclosure is to a school official who has a legitimate educational interest in the education records.
• Use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interest.
• If outsourcing school services or functions to a third party, make sure your third party does the following:
  • Performs a service or function for which the school would otherwise use employees
  • Is under the direct control of the school regarding the use and maintenance of education records
  • Complies with the PII from education records use and re-disclosure requirements

COMET is pleased to support a number of communities in their data sharing efforts.  Check out our Community Data Sharing resource for more information. If you’re struggling to connect with your local school district, contact us. We have lots of experience working through these data sharing agreements.

Original Posting 18.10.17

Have you heard about two-factor authentication (2FA)? Do you know if it already is a part of your life? If you do, what do you think about it? Are you happy about it or do you find it annoying? (And the answers you give might be affected by whether you have been a victim of identity theft.)

What is 2FA? Personal credentials to access an account can include a personal identification number (PIN), a password, a pattern, an item (security fob, ATM card, smartphone), a biometric (voice print, finger ID, retinal scan). A typical example of single-factor authentication is entering a username and a password. Two-factor authentication adds a second level of authentication to accessing an account. An example of 2FA is requiring a ZIP code when you use your credit card at the gas station.

So – there is an extra step … that makes me so happy … The organization in charge of account access implements and controls the security of the access. So some companies, suppliers or vendors mandate it, some make it as a configurable option, and others do not have it. And whenever there is an extra step to a process, there will be division as to the value of the step for the account owners. Some willingly do the extra step to protect their account. Others will be annoyed and resent it. (And sometimes they will not be able to login to their own account because they don’t have, or can’t remember the credentials.)

Will 2FA really keep my account secure? 2FA is not a guarantee that accounts will not be accessed by those who should not be accessing them. Hackers, especially with criminal intent, are a clever and committed group. But 2FA is one extra layer of protection beyond a simple login. It does make hacking harder.

What is the way hackers get through 2FA? Every updated approach to account security faces challenges as hackers work to attack the new methods. It’s regrettable, but it is reality. One way that hackers get into accounts is by exploiting the process of account recovery - where a password reset occurs and 2FA is disabled. Another way is getting the credential item (such as the credit card); another is accessing the digital code used in authenticating credentials. Biometric credentials are more secure, but we all have seen the movies that get “creative” about stealing fingerprints. So with these risks, where possible, it is advisable to use 2FA for login access and a separate 2FA for account recovery.

2FA is valuable when it provides increased security along with simple usability It is likely that as more organizations implement 2FA for account security, it will be implemented in a “less annoying” way and will be expected by the account owners in order to access account information (just as single-factor authentication is today). And those using 2FA now find that they are used to it - and it is not very difficult to integrate into their approach to account access. (Such as those of us that get a verification code text on our phone when we login to a new device.) And assuredly, as more adoption of 2FA occurs, it will be continuously improved. "Cyber-security is like a game of chess.. Always trying to predict your opponent's next move." ~ Jason Brundage, Director of COMET Systems Infrastructure COMET security is a critical component of our services – providing continuous system access while protecting customer data. The most stringent technologies, protocols and practices are used in our product development. We are interested in your thoughts on adding two-factor authentication (2FA) to COMET. Click here to respond to a quick survey.