(3) All research at an ERC involving access to confidential
information shall be conducted with the approval of the Advisory Board
or by request of the Texas Workforce Commission, Commissioner of Higher
Education or the Commissioner of Education if the requesting agency
provides sufficient funds to the ERC to finance the project. All remote
access research at an ERC involving access to confidential information
shall be conducted with the approval of the Advisory Board.
(4) Confidential information provided to an ERC shall
be protected by procedures to ensure that any unique identifying number
is not traceable to any individual. Such procedures must be maintained
as confidential by TEA and the CB and may not be shared with an ERC,
or used for any other purpose. Under no circumstances may social security
numbers, names, or birthdates be accessed for the purpose of research
at an ERC.
(5) ERCs shall adopt written procedures for research
conducted using confidential information, subject to FERPA and its
implementing regulations and approval by the Advisory Board. An ERC
may not access confidential information until all such procedures
are approved. Such procedures shall include:
(A) measures to ensure against unauthorized disclosure
of confidential information;
(B) independent review of all research products/results
by a designated ERC staff person not involved in that specific project
to ensure against unauthorized disclosure of confidential information
in accordance with guidelines adopted under FERPA;
(C) measures to ensure that confidential information
is not copied or removed from the ERC;
(D) annual certification of full compliance with all
requirements of state and federal laws and regulations regarding the
use of confidential information for research purposes by the internal
auditor of each participating IHE;
(E) before final approval of a research proposal by
the Advisory Board, the researcher must certify that the research
proposal complies with the IHE's institutional review board or similar
research review board with oversight over research design, including
any applicable requirements for research involving human subjects
the ERC shall provide evidence of approval from the IRB or justification
for exclusion from the IRB process before a researcher has access
to any data; and
(F) criteria for allocating research access capacity
for researchers not affiliated with the sponsoring IHEs.
(6) All final research reports or analysis produced
at an ERC shall:
(A) be made available upon request to the cooperating
agencies;
(B) a single copy shall be made available to the cooperating
agencies for any copyright publications at no cost to the cooperating
agencies; institutionally produced or non-copyright publications shall
be available for public distribution, copying or reproduction at no
cost to the cooperating agencies;
(C) contain a disclaimer in a form acceptable to the
cooperating agencies stating that the conclusions of the research
do not necessarily reflect the opinion or official position of those
entities or of the State of Texas;
(7) An ERC shall comply with the requirements of the
Texas Public Information Act, including requirements relating to data
manipulation. Charges for processing Public Information Act requests
shall be based on guidelines developed by the Texas Attorney General's
Office.
(8) A sponsoring IHE shall cooperate fully with all
audit requests made by the CB or the Advisory Board. Each ERC shall
annually request and undergo a security audit performed by the Texas
Department of Information Resources, or a contractor approved by that
Department, which shall include a penetration test of computer equipment
and access, and provide the results thereof to the CB.
(9) Research projects that require access to data not
then included in the database maintained by the CB for research will
be provided by the cooperating agencies if available. An ERC will
be charged the cost to process or manipulate such data.
(e) Sanctions and Termination.
(1) Upon a determination that confidential information
has been released or has been copied to another location, or that
appropriate security measures are not in place to protect confidential
information, the CB may, in addition to other remedies set forth in
this section, require an ERC to obtain appropriate services or equipment
or to remove confidential information from such other location in
order to remedy a security deficit. Such services or equipment shall
be purchased by the ERC from vendors subject to approval of the CB.
(2) The ERC under review shall be required to pay all
reasonable costs to the CB for time necessary to re-audit and ensure
appropriate security measures are in place after a possible breech
occurs.
(3) An ERC may be terminated by the CB for failure
to meet the requirements of state or federal law, of this subchapter,
or of the terms of a contract establishing the ERC. An ERC shall be
entitled to an informal review of a determination to terminate its
status by a designee of the Commissioner of Higher Education prior
to the effective date of the termination. An ERC shall return all
confidential data to the CB within five (5) days of its receipt of
a notice of termination and shall not retain a copy, replica, or duplicate
thereof, whether in whole or in part. The Commissioner of Higher Education
may suspend an ERC while determining whether the ERC's failure to
meet the requirements of state or federal law, of this subchapter,
or of the terms of a contract establishing the ERC are of such significance
to warrant termination. An ERC may not operate during any period of
time it is suspended.
(4) Notice of termination under paragraphs (1) and
(2) of this subsection shall be provided to the ERC's designated representative
and shall contain information regarding the reasons for the termination.
(5) A termination made pursuant to this section shall
become final and binding unless, within 30 days of its receipt of
the notice of termination, the ERC invokes the administrative remedies
contained in Subchapter B of this chapter (relating to Dispute Resolution).
If this chapter is so invoked, any ultimate recommendations regarding
termination shall be made to the CB which, in turn, shall render its
decision in due course. The ERC shall be suspended during the pendency
of any such proceedings.
(f) Security.
(1) An ERC must comply with all requirements of FERPA
in accessing confidential information to conduct research. Notwithstanding
any other provision in this subchapter, failure to maintain adequate
security to avoid the unauthorized disclosure of confidential information
provided to the ERC shall be grounds for immediate termination of
the authorization to access such data.
(2) The CB may suspend access to confidential information
provided to an ERC based on a significant risk of unauthorized disclosure
of confidential information.
|
Source Note: The provisions of this §1.18 adopted to be effective August 15, 2007, 32 TexReg 4968; amended to be effective February 18, 2008, 33 TexReg 1324; amended to be effective November 21, 2013, 38 TexReg 8191; amended to be effective June 6, 2016, 41 TexReg 3995; amended to be effective August 16, 2020, 45 TexReg 5510 |