May 23, 2014

It only looks like I've stopped paying attention...

Unfortunately I have had some health issues that have kept me preoccupied and not posting as often as I used to. However, I do still check on the Facebook groups and my Google Updates for Connecticut specific information. But with the Connecticut legislative session at an end, and with schools just about done for the year, things on the local level have gotten quiet. (This does not include the 2014 gubernatorial race, which is actually extremely relevant locally, and which you can keep updated about here.)

I will continue to report on everything else that I feel parents absolutely need to know here, so please be sure to subscribe to my posts on the left sidebar so you will be informed when the blog gets updated.

And prayers and positive energy would be very appreciated to help me through this non-life-threatening but very uncomfortable time. Thanks.

May 7, 2014

Connecticut's Office of Legislative Research Releases a Report On the Changes to FERPA

Those of you who are regulars here know that I have been in contact with my local State Representative Dante Bartolomeo, who serves on the Education Committee, regarding my concern with what the changes to FERPA means to children here in Connecticut.

Today she sent me a copy of the Office of Legislative Research Report that she had requested, and that frankly arrived sooner than I had expected. You can find that report here.

To summarize, in discussing the "significant changes" the OLR state:
Under certain conditions, the new regulations allow broader access to PII. [Personally Identifiable Information]

The prior regulations used the term authorized representative but did not define it.

The new regulations no longer require the authorized representative be under the direct control of the education agency releasing the information

Some groups, including the National School Boards Association (NSBA), have raised questions about the changes, saying DOE had gone too far in loosening the restrictions on PII under FERPA. In a May 23, 2011 letter to DOE Secretary Arne Duncan... an NSBA senior attorney wrote that DOE’s definition of “authorized authority” is overly broad and the definition should be limited to employees of the educational agency that possesses the information or a contractor specifically under the agency’s direct control.
The DOE narrative also suggests that one government agency, such as a state Labor Department, cannot be under the director control of another agency at the same level of government, such as the state Department of Education, therefore the “direct control” principle does not make sense in that context.

The prior regulations prevented a state education department from releasing PII it received from local education agencies to a research organization unless it had specific legal authorization to do so (this is sometimes referred to as “redisclosure” as the local agency had already disclosed the information to the state agency). Under the new regulations, state education agencies can enter into agreements with research organizations for... study purposes without specific authority.

In its 2011 letter to DOE, NSBA also objected to this change and suggested it exceeds the statutory authority of FERPA. NSBA urged that a state education department should be required to seek permission from the local education agency that supplies the PII before the state agrees to provide that information to a research organization.

What I was happy to see in this Report was the OLR including the entire letter from the National School Boards Association to Arne Duncan as an attachment, thereby testifying to the points it makes and questions it asks as noteworthy and relevant.

Things I find most interesting include:
As a practical matter, it is not clear how the effective use of data in statewide longitudinal data systems (SLDS) as envisioned by the COMPETES Actor ARRA necessitates designation of others beyond an employee or a contractor as authorized representatives. Under what circumstances would others besides these two types of representatives conduct an audit or evaluation of a Federal or state education program that would necessitate non-consensual disclosure of PII?

Will "reasonable methods" and a written agreement likely ensure that "authorized  representatives" unfamiliar with the privacy concerns inherent in educational programs comply with FERPA?

...if for some reason, such an authorized representative, state or local educational authority, or agency headed by an official... makes an improper re-disclosure, DOE proposes that  the educational agency or institution from which the personally identifiable information (PII) originated would be prohibited from permitting the entity responsible for the improper re-disclosure access to data for at least five years. NSBA suggests that instead of requiring the educational agency or institution to deny access to data for five years, the entity responsible for the re-disclosure should be prohibited from requesting PII from the educational agency or institution for at least five years. It is unfair to put the onus on the originating educational agency or institution to deny access to the entity that made an improper disclosure. After all, the educational agency or institution did not make the improper disclosure and was reasonably relying on "reasonable methods" and a written agreement to prevent improper re-disclosure. Likewise, the educational agency or institution may not even be aware that an improper re-disclosure has been made. In a similar vein, NSBA encourages DOE to modify current §99.33(e) to state that if a third party improperly re-discloses PIT from education records that third party may not request PII from the originating education agency or institution for at least five years.

With today being the last day of the legislative session here in Connecticut, nothing is going to be done to protect our kids' privacy on a state level this school year. But some people are still optimistic about getting FERPA reversed on the federal level; with our own U.S. Senator Richard Blumenthal, and Ed Markey of Massachussetts introducing the Personal Data Protection and Breach Accountability Act, there is hope that Blumenthal can be made to see the FERPA problem. But regardless of whether or not that happens, legislation needs to be passed here in Connecticut to protect our kids' privacy. It will be an uphill battle considering that attempts have already been made to degrade it at the college level, but nevertheless, the battle will continue after the elections in the fall.