November 26, 2013

The PRIVACY issue

I recently opted-out of some testing for my 7th grader. I sent a letter to all of his teachers, his principal, his guidance counselor, and the Curriculum Coordinator of the BOE who I have had previous contact with. She was the only one to respond. And as I was starting to type out my own response to her, I thought it might be a good idea to share my response to educate all my readers about this topic. So here it is:

Thanks for taking the time to respond to my email; no one else did.

I'd like to take a some time to address your comments from this email and last where you state that "I also need to remind you that all of our assessment results data, teacher tests included, are stored on our servers" and "neither districts, teachers, schools, nor the state department of education is allowed to share any student or parent addresses or contact information."

First the issue of information being stored on Cheshire's servers.

As you are likely aware, Connecticut has a P-20 Council that was empowered by Governor Malloy in 2012  and one of their three goals is "Improving data systems to better track student progress.".

If you go to the P-20 Council APPROACH page and click on Memorandum of Agreement - CT Board of Education (pdf) it will bring you to a document that includes this information:
DAS-BEST [State Department of Administrative Services' Bureau of Enterprise Systems Technology] shall serve as the custodian of data from the education records that will be processed by software residing on its servers and will have responsibilities as set forth herein for the installation of the application, hardware, establishing network linkages, and connecting data sources...
So Connecticut already has a state server to collect data from the districts. And according to the Data Collection Update issued by the CT Commisioner of Education it is just a matter of time before data is uploaded to the state automatically:
An additional initiative for streamlining collections and reducing administrative burden is the automation of the upload process for state mandated data collections. We will continue to develop the aforementioned SIF [School Interoperability Framework] to replace the manual data upload and validation processes performed currently by LEA data administrators. SIF was piloted successfully by six districts and used by 15 districts for the January PSIS Collection. A SIF rollout is planned for all districts over the next few years.

The actual Connecticut laws that dictate that school districts need to share data with the state regardless of where it is stored, are:
Sec. 10-10a.
     (b) The Department of Education shall develop and implement a state-wide public school information system. The system shall be designed for the purpose of establishing a standardized electronic data collection and reporting protocol that will facilitate compliance with... federal reporting requirements…
     (c) On or before July 1, 2013, the department shall expand the state-wide public school information system as follows:
                     
            (1) (A) In addition to performance on state-wide mastery examinations pursuant to subsection (b) of this section, data relating to students shall include, but not be limited to, (i) the primary language spoken at the home of a student, (ii) student transcripts, (iii) student attendance and student mobility…
            (2) Collect data relating to student enrollment in and graduation from institutions of higher education for any student who had been assigned a unique student identifier pursuant to subsection (b) of this section, provided such data is available.
     (f) All school districts shall participate in the system, and report all necessary information required by this section, provided the department provides for technical assistance and training of school staff in the use of the system.
Of particular concern is the caveat in section (c)(1)(A) where it explains that the data they collect is not limited to, thereby keeping us in the dark as to what can actually be collected.

Additionally, the law that protects privacy for Connecticut citizens:
Sec. 42-471. Safeguarding of personal information.
does not pertain to the Connecticut State Department of Education and the personal information they collect, since it states that
(f) The provisions of this section shall not apply to any agency or political subdivision of the state.

So back to the P-20 Council. On page five of the Connecticut P-20 Council 2009 briefing entitled Commission for the Advancement of 21st Century Skills and Careers they explain about "Building Data Systems":
Nationally, the Data Quality Campaign (DQC) supports state efforts to use high-quality education data to improve student achievement. DQC tracks states’ progress in achieving 10 essential elements needed to build an effective longitudinal data system.
Those 10 essential elements can be found on page 20 of Data Quality Campaign's just-released report entitled Data For Action 2013. Page 21 shows where Connecticut currently is in working toward that goal. And the cause for concern is that Connecticut has not accomplished certain important elements, specifically element #5, which in part requires that the state is transparent about who is authorized to access specific data and for what purposes, and element #10, which in part requires that the state education agency makes data privacy and security policies public. 


So to summarize:
  • despite the fact that all of Cheshire's data "are stored on our servers", by state law much of the information on those servers is already provided to the state, and at some point "over the next few years" the state will have direct access to it via its SIF (School Interoperability Framework)
  • The state law does not limit what data can be collected about our students
  • The state law does not legally bind the CSDE to protect that data 
  • The state has not made clear who is authorized to see that data
  • The state has not made its data privacy and security policies public

Now on to your statement that "neither districts, teachers, schools, nor the state department of education is allowed to share any student or parent addresses or contact information."

The relevant FERPA statutes state:
Subpart A—General
    §99.3 What definitions apply to these regulations?
         Personally Identifiable Information. The term includes, but is not limited to—
              (a) The student's name;
              (b) The name of the student's parent or other family members;
              (c) The address of the student or student's family;
              (d) A personal identifier, such as the student's social security number, student number, or biometric record;
              (e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name...

Subpart D—May an Educational Agency or Institution Disclose Personally Identifiable Information From Education Records?

§99.31 Under what conditions is prior consent not required to disclose information?
     (a) An educational agency or institution may disclose personally identifiable information from an education record of a student without the consent required by §99.30 if the disclosure meets one or more of the following conditions:
          (6)(i) The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:
            (A) Develop, validate, or administer predictive tests;
            (B) Administer student aid programs; or
            (C) Improve instruction.
It doesn't take a lawyer to explain that this means that personally identifiable information can be shared with for-profit corporations, including curriculum companies, testing companies, and even Google, since they "improve instruction" with the Google Docs that we use extensively here in Cheshire.

The law further states that:
§99.31(a)(6)(ii) Nothing in the Act or this part prevents a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section from entering into agreements with organizations conducting studies under paragraph (a)(6)(i) of this section and redisclosing personally identifiable information from education records on behalf of educational agencies and institutions that disclosed the information to the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section in accordance with the requirements of §99.33(b).
Which means that once the LEA (Local Education Agency) shares the information with the state, the state can then go ahead and share it with someone else on behalf of the LEA no matter what the LEA thinks about that.

Are there "protections" for what those parties are allowed to do with that information? Of course. But compliance with these laws rely on self-regulation, and once the information is shared, it can't be retrieved:
Subpart E—What Are the Enforcement Procedures?
§99.67 How does the Secretary enforce decisions?
     (e) If the Office finds that a third party, outside the educational agency or institution, improperly rediscloses personally identifiable information from education records in violation of §99.33 or fails to provide the notification required under §99.33(b)(2), then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the violation access to personally identifiable information from education records for at least five years.

So let's once again summarize:
  • According to federal law, the state can redisclose information that Cheshire shares with it, without Cheshire's permission.
  • According to federal law, the state can share personally identifiable information with for-profit corporations. Then if the private corporations share it with anyone else, and they get caught, the state can't give them access to more personally identifiable information for five years. This doesn't take back the information though, or protect my kids from whoever those for-profit corporations shared it with; the information is irretrievably out there.
  • The state does not provide further protections for my children in its own statutes since:
  • The state law does not limit what data can be collected about our students
  • The state law does not legally bind the CSDE to protect that data  
  • The state has not made clear who is authorized to see that data
  • The state has not made its data privacy and security policies public
So unfortunately, your assurance that "neither districts, teachers, schools, nor the state department of education is allowed to share any student or parent addresses or contact information," is, if my understanding of all this is correct, mistaken. As long as you are doing so with someone claiming to "improve instruction" you can all share that information with whoever you want; this includes Triumph, OLSAT, Naviance, Powerschool, and Inform.

Andrew Abate, Cheshire's Technology Coordinator, lists on his LinkedIn account that he "Keep[s] abreast of educational reform with respect to technology, pedagogy, and policy", so you may want to verify with him all of the information that I've presented to you here.

And if you find that he quantitatively refutes any of this information, I would appreciate your letting me know, since I would be thrilled to be corrected on any of this.

No comments:

Post a Comment

Comments are very welcome, but are moderated. Please keep in mind that this blog is specifically for dissemination of information that is free from political affiliation bias and uneducated fear mongering. Comments containing either will not be approved.

Additionally, although you may know me from Facebook, and I am not shy about who I am, because I do share personal experiences here I ask that you respect the privacy of my children by refraining from using my real name. Comments that use my real name will unfortunately not be published.