|(a) Definitions. The following words and terms, when used in this section, shall have the following meanings, unless the context clearly indicates otherwise. (1) FERPA means the Family Educational Rights and Privacy Act, 42 U.S.C. 1232g, including regulations and informal written guidance issued by the United States Department of Education and any amendments or supplementation thereof. (2) Confidential information as applied to data provided to an Education Research Center (ERC) by Texas Education Agency (TEA) or the Texas Higher Education Coordinating Board (CB) includes all student-level data, including any data cells small enough to allow identification of an individual student. All social security numbers, student names, student birthdates and data cells containing between one and four students, inclusive, are confidential. (3) Small data cells will be considered any cell containing between one and four students inclusive. Information may not be disclosed where small data cells can be determined through subtraction or other simple mathematical manipulations or subsequent cross-tabulation of the same data with other variables. Institutions may use any of the common methods for masking including: (A) hiding the small cell and the next larger cell on the row and column so the size of the small cell can not be determined; or (B) hiding the small cell and displaying the total for both the row and column as a range of at least ten; or (C) any methodology approved by the TEA and CB. (4) References to the CB shall also be deemed to include the Commissioner of Higher Education. References to the TEA shall also be deemed to include the Commissioner of Education. (b) Purpose. (1) ERCs may be established by joint approval of the commissioner of education and the CB. An ERC may only be established at a sponsoring public institution of higher education in Texas, but may be awarded to a consortium of such institutions. An ERC must be physically located within Texas and must retain all data at that location, except for secure off-site data back-up in accordance with written procedures approved by the Joint Advisory Board. Student level data may not be provided to a researcher at a location other than a Research Center or the THECB or a public institution of higher education located in Texas that is an acknowledged consortium member of the Research Center. (2) The CB is responsible for general oversight, technical assistance and state support of ERCs, except as otherwise provided in this chapter. All policy decisions and rulemaking shall be jointly approved by TEA and the CB. (3) Sponsoring institutions of higher education are responsible for all equipment, salaries and other operating costs of an ERC, including staff and equipment at TEA and the CB necessary to prepare and maintain data for the ERCs, as well as reasonable reimbursable expenses of the joint advisory board. Costs will be limited to one full-time equivalent employee at each agency along with associated data storage costs as set by DIR for the data center consolidation rates unless otherwise agreed to by the TEA, CB, and the ERCs. (c) Joint Advisory Board. (1) The commissioner of education and the commissioner of higher education shall co-chair an advisory board to review and approve research involving access to confidential information and to adopt policies governing ERC operations. Each commissioner may delegate to an agency employee the ability to act as co-chair and vote on matters coming before the Joint Advisory Board. (2) The commissioner of education and the commissioner of higher education shall jointly appoint up to ten additional members to the Joint Advisory Board. All research involving access to confidential information must be approved by the said board. (3) Members of the Joint Advisory Board serve at the pleasure of the commissioner of education and the commissioner of higher education and must be reappointed annually. The Joint Advisory Board will post its agenda and conduct its meetings in compliance with the Texas Open Meetings Act. (4) The Joint Advisory Board shall meet at the call of the two chairs at least twice each year. (d) Operation. (1) An ERC may operate only under written authorization by the commissioner of education and the CB. Status as an ERC may not be assigned, delegated or transferred to any other entity. (2) An ERC shall be lead by a managing director who is a professional employee of the sponsoring institution of higher education (IHE). The managing director shall report directly to the chief operating officer of the sponsoring IHE unless a different reporting structure is approved by TEA and the CB. (3) All research at an ERC involving access to confidential information shall be conducted only with the approval of and under the joint oversight of TEA and the CB through the Joint Advisory Board. Research that does not involve access to confidential information may be conducted by the ERCs without approval of the Joint Advisory Board upon 30 days notice to TEA and the CB and certification by the ERC that sufficient resources will be available to meet all demands for resources to conduct research or manipulate data under the direction of the Joint Advisory Board or on behalf of TEA or the CB. (4) Confidential information provided to an ERC by TEA or the CB shall be protected by procedures to ensure that any unique identifying number is not traceable to any individual. Such procedures must be maintained as confidential by TEA and the CB and may not be shared with an ERC, or used for any other purpose. Under no circumstances may social security numbers, names, or birthdates be accessed for the purpose of research at an ERC. (5) ERCs shall adopt written procedures for research conducted using confidential information, subject to approval by the Joint Advisory Board. An ERC may not access confidential information until all such procedures are approved. Such procedures shall include: (A) measures to ensure against unauthorized disclosure of confidential information; (B) independent review of all research products by a designated ERC staff person not involved in that specific project to ensure against unauthorized disclosure of confidential information; (C) review of all datasets created by a researcher to ensure that confidential information is not copied or removed from the ERC; (D) annual certification of full compliance with all requirements of state and federal laws and regulations regarding the use of confidential information for research purposes by the internal auditor of each participating IHE; (E) approval of research design by an accredited IHE, including any applicable requirements for research involving human subjects, before submitting a research proposal to the Joint Advisory Board for approval; and (F) criteria for allocating research access capacity for researchers not affiliated with the sponsoring IHEs. (6) All research produced at an ERC shall: (A) be made available upon request to TEA and the CB; (B) be available for public distribution, copying or reproduction at no cost to TEA or the CB; (C) contain a disclaimer in a form acceptable to TEA and the CB stating that the conclusions of the research do not necessarily reflect the opinion or official position of those entities or of the State of Texas; (D) be reviewed before publication or other distribution by individuals other than those conducting the research to ensure that confidential information is not disclosed, in accordance with guidelines adopted under FERPA or by TEA or the CB; (7) An ERC shall comply with the requirements of the Texas Public Information Act, including requirements relating to data manipulation. An ERC shall process any Public Information Act requests referred by TEA or the CB in a timely manner. Charges for processing Public Information Act requests shall be based on guidelines developed by the Texas Attorney General's Office and approved by the Joint Advisory Board. (8) A sponsoring IHE shall cooperate fully with all audit requests made by TEA or the CB. Each ERC shall annually request and undergo a security audit performed by the Texas Department of Information Resources, or a contractor approved by that Department, which shall include a penetration test of computer equipment and access. (9) Research projects that require access to data not then included in the database maintained by the CB for research will be provided by the CB or the TEA if available. An ERC will be charged the cost to process or manipulate such data. ERCs will be assessed for annual maintenance costs of the CB and the TEA as approved by the Joint Advisory Board. (e) Sanctions and Termination. (1) Upon a determination that confidential information has been released or has been copied to another location, or that appropriate security measures are not in place to protect confidential information, the Joint Advisory Board may require an ERC to obtain appropriate services or equipment or to remove confidential information from such other location in order to remedy a security deficit. Such services or equipment shall be purchased by the ERC from vendors subject to approval of the Joint Advisory Board. (2) An ERC may be terminated by joint action of TEA and the CB for failure to meet the requirements of state or federal law, of this subchapter, or of the terms of a contract establishing the ERC. An ERC shall be entitled to an informal review of a determination to terminate its status by a designee of the commissioner of education and the commissioner of higher education prior to the effective date of the termination. (3) Notice of termination under paragraph (1) and (2) of this subsection shall be provided to the ERC's designated representative and shall contain information regarding the reasons for the termination. (4) A termination made pursuant to this section shall become final and binding unless, within 30 days of its receipt of the notice of termination, the ERC invokes the administrative remedies contained in Chapter 1, subchapter B of the Rules of the CB (relating to Hearings and Appeals). (5) Any ultimate recommendation regarding termination shall be made to both the CB and the commissioner of education. The CB and the commissioner of education must concur for any termination of an ERC invoking such administrative remedies to become final. (f) Security. (1) An ERC must comply with all requirements of FERPA in accessing confidential information to conduct research. Notwithstanding any other provision in this subchapter, failure to maintain adequate security to avoid the unauthorized disclosure of confidential information provided to the ERC shall be grounds for immediate termination of the authorization to access such data. (2) All physical locations at which confidential information may be accessed at an ERC must be located within Texas, at a sponsoring IHE, and approved by both TEA and the CB. Each ERC may provide for off-site data back up of information for disaster recovery purposes in accordance with DIR processes. No research can be performed at a back up site. (3) Either TEA or the CB may suspend access to confidential information provided to an ERC based on a significant risk of unauthorized disclosure of confidential information.