Data Masking


In education, data masking refers to the process of concealing or encrypting selected information—most commonly in school-performance reports and datasets prepared by state education agencies and school districts—to protect the identity and privacy of individual students, teachers, or administrators. Data masking is used when reports are shared with third parties who are not authorized to access secure or private information—such as academics, researchers, or consultants—that could potentially be used to infer or reveal the identities of specific individuals.

Data Masking vs. Data Suppression
The terms “data masking” and “data suppression” refer to similar yet distinct processes—although in some cases the terms may be used interchangeably. When data are masked, the information is concealed from view or encrypted in a file, but the masked data remains encoded in the file or database and can be accessed (or “re-identified”) by those with the proper authorization codes or passwords. When data are suppressed, the information is entirely removed or deleted, most commonly in files and reports that are publicly shared. For a more detailed discussion, see data suppression.

Data masking is frequently used in research scenarios. For example, a state education agency might hire an organization or university to study the results or impact of educational policy—say, a recent expansion of state-subsidized pre-kindergarten programs. The researchers would then request the data they need to conduct the study (e.g., records showing the number of students enrolled in pre-kindergarten programs over a ten-year period), and the education agency would then assemble the necessary datasets. Before releasing files to the researchers, however, the agency would “mask” selected information—such as the first and last names of students—to prevent individual identities from being revealed in the information provided to the external researcher. Data may also be masked when education agencies, districts, or schools share information with any other external organizations or individuals not authorized to access or view personal information—for example, consultants and companies under contract to provide specialized services.

While the specific methods of data masking can be highly technical, the basic technique will be familiar to most people: credit-card statements that present only partial account numbers combined with Xs or online passwords that are represented as small dots are both common examples of data masking. While the companies masking account numbers and passwords know what the Xs or dots represent, masking or encrypting the information provides a layer of security against identify theft, fraud, and other abuses of customer information.

For related discussions, see de-identified data, personally identifiable information, student-level data, and unique student identifier.